Microsoft365DSC
Microsoft365DSC copied to clipboard
microsoft
AADGroupEligibilityScheduleRequest: New resource proposal
Description
Currently Microsoft365DSC has a resource for PIM role eligibility assignment (AADRoleEligibilityScheduleRequest) but it does not yet have a parallel resource for PIM group eligibility assignment.
This feature is new to the Graph API beta: https://learn.microsoft.com/en-us/graph/api/resources/privilegedaccessgroupeligibilityschedulerequest?view=graph-rest-beta&viewFallbackFrom=graph-rest-1.0
Proposed properties
| Parameter | Attribute | Type | Description |
|---|---|---|---|
| accessId | Write | privilegedAccessGroupRelationships | The identifier of the membership or ownership eligibility relationship to the group. The possible values are: owner, member. Required. |
| action | Write | String | Represents the type of operation on the group membership or ownership eligibility assignment request. The possible values are: adminAssign, adminUpdate, adminRemove, selfActivate, selfDeactivate, adminExtend, adminRenew. |
| groupId | Key | String | The identifier of the group representing the scope of the membership or ownership eligibility through PIM for groups. Required. |
| Ensure | Write | String | Present ensures the instance exists, absent ensures it is removed. |
| id | Write | String | Identifier for the Group Eligibility Schedule Request. |
| justification | Write | String | A message provided by users and administrators when they create the privilegedAccessGroupAssignmentScheduleRequest object. |
| principal | Key | String | The DisplayName or objectID of the principal whose membership or ownership eligibility to the group is managed through PIM for groups. Required. |
| PrincipalType | Write | String | Represented the type of principal to assign the request to. Accepted values are: Group and User. |
| scheduleInfo | Write | requestSchedule | The period of the group membership or ownership assignment for PIM for groups. Recurring schedules are currently unsupported. Required. |
| ticketInfo | Write | ticketInfo | Ticket details linked to the group membership or ownership assignment request including details of the ticket number and ticket system. Optional. |
| Credential | Write | PSCredential | Credentials of the PIM Admin |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. |
| ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory application to authenticate with. |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. |
Special considerations or limitations
In the proposed properties the principal / principaltype mechanism is effectively copied from AADRoleEligibilityScheduleRequest for similar handling of Users vs. Groups.
The ability to grant roles to groups is already baked into the AADRoleEligibilitySchedule resource. Do we need a separate resource to handle this here?
Perhaps I missed this. I will review tonight.
Get Outlook for iOShttps://aka.ms/o0ukef
From: Nik Charlebois @.> Sent: Monday, December 4, 2023 12:49:52 PM To: microsoft/Microsoft365DSC @.> Cc: Mike Poulson @.>; Manual @.> Subject: Re: [microsoft/Microsoft365DSC] AADGroupEligibilityScheduleRequest: New resource proposal (Issue #3786)
The ability to grant roles to groups is already baked into the AADRoleEligibilitySchedule resource. Do we need a separate resource to handle this here?
— Reply to this email directly, view it on GitHubhttps://github.com/microsoft/Microsoft365DSC/issues/3786#issuecomment-1839453184, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AB5E53H5VV4UXZ7HI6LHKP3YHYZPBAVCNFSM6AAAAAA557NOFGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMZZGQ2TGMJYGQ. You are receiving this because you are subscribed to this thread.Message ID: @.***>
We introduced the property PrincipalType which can either be set to User or Group. Let me know if this does the job for what you were looking for. Thanks
Sorry for the delay Nik! In this case the two resources would not quite accomplish the same thing.
With the PrincipalType property on the AADRoleEligibilitySchedule resource, it is possible to make a security group eligible for an Entra ID built-in role via PIM.
With the proposed AADGroupEligibilityScheduleRequest resource, it would be possible to make users eligible for membership in Entra ID Security Groups via PIM. This enables the use of PIM with any access control based on Entra ID Security Groups.
Some example use cases not possible with AADRoleEligibilitySchedule are:
- Office 365 Role Group assignments (e.g. 'eDiscovery Manager')
- Compliance Manager role assignments (e.g. 'Compliance Manager Reader')
- PIM-elevated access to limited SharePoint Online sites/libraries/lists/documents
If there are not concerns I would like to work on implementing AADGroupEligibilityScheduleRequest.
My intent is aligned with IMJLA. It is to allow use of the following UI [image: Screenshot 2024-02-10 at 9.19.34 PM.png]
On Wed, Dec 13, 2023 at 10:14 AM IMJLA @.***> wrote:
Sorry for the delay Nik! In this case the two resources would not quite accomplish the same thing.
With the PrincipalType property on the AADRoleEligibilitySchedule resource, it is possible to make a security group eligible for an Entra ID built-in role via PIM.
With the proposed AADGroupEligibilityScheduleRequest resource, it would be possible to make users eligible for membership in Entra ID Security Groups via PIM. This enables the use of PIM with any access control based on Entra ID Security Groups.
Some example use cases not possible with AADRoleEligibilitySchedule are:
- Office 365 Role Group assignments (e.g. 'eDiscovery Manager')
- Compliance Manager role assignments (e.g. 'Compliance Manager Reader')
- PIM-elevated access to limited SharePoint Online sites/libraries/lists/documents
— Reply to this email directly, view it on GitHub https://github.com/microsoft/Microsoft365DSC/issues/3786#issuecomment-1854478395, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB5E53GHUXXYR22ZJTSYUL3YJHWA5AVCNFSM6AAAAAA557NOFGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJUGQ3TQMZZGU . You are receiving this because you are subscribed to this thread.Message ID: @.***>