==This blog has moved to blog.qbits.no==
Azure Privileged Identity Management (PIM) is a feature that lets you elevate to an Azure resource role for a set scope or to an Azure Entitlement Management (Azure Entra) ID role without having a permanent active assignment. This is a great way to increase the security of your platform while also reducing the chance of making mistakes because you're most likely only elevated to the roles that you actually need at the time of working.
However, there are a few drawbacks to PIM. Sometimes, the portal is slow, and you may have to search for the right role among many assigned to you. If you need to elevate to multiple roles, it takes time, considering the context switching involved. An important principle when doing development is to reduce context switching. Even moving your hands from the keyboard to the mouse is, albeit small, a type of context switching. Logging in to the Azure Portal, finding the role(s), pressing the elevation button, and waiting is a huge context switch. At times, that is acceptable, but in your daily work, it's not! If you're like me and mostly doing your development in PowerShell, it's fairly simple to elevate to the roles that you need to get started:
param(
[Parameter()]
[string]$SubscriptionId
[Parameter()]
[string[]]$RoleDefinitionName = @("Contributor"),
[Parameter()]
[string]$Justification = "Local development",
[Parameter()]
[int]$DurationInHours = 8
)
$currentContext = Get-AzContext
ForEach ($role in $RoleDefinitionName) {
$roleDefinitionId = (Get-AzRoleDefinition -Name $role).Id
$inputObject = @{
Name = [guid]::NewGuid().ToString()
Scope = "/subscriptions/$subscriptionId/"
ExpirationDuration = "PT${DurationInHours}H"
ExpirationType = "AfterDuration"
PrincipalId = (Get-AzAdUser -UserPrincipalName $currentContext.Account.Id).Id
RequestType = "SelfActivate"
RoleDefinitionId = "/subscriptions/$SubscriptionId/providers/Microsoft.Authorization/roleDefinitions/$roleDefinitionId"
ScheduleInfoStartDateTime = Get-Date -Format o
Justification = $Justification
}
Write-Verbose "Elevating to role $role on subscription $SubscriptionId for $DurationInHours hours" -Verbose:$true
New-AzRoleAssignmentScheduleRequest @inputObject
}
You can add the code to a file called Elevate-PimRole.ps1
and trigger the script by running ./Elevate-PimRole.ps1 -SubscriptionId xxxxxxxx-xxxx-xxxx-xxxxxxxx
.
That's it! You should now be able to start working in your subscription with your role elevated. Note: if you're working in the context of a resource group it will be necessary to adjust the scope of the elevation.
Happy development!