Share via

Set up notifications for Root Tenant Group assigments

Kaushik Ray 0 Reputation points
2024-12-12T19:00:49.8133333+00:00

Set up notifications for Root Tenant Group assigments azurerm_role_management_policy

I am trying to enable notification(email to slack channel) whenever someone requests for PIM role activiation. The slack channel contains the admins who can approve the request.

I am unable to fix this. Please advise how to enable the config ?

I am expecting this config should enable slack email when a user requests for PIM approval.

Here is the tf configs:

resource "azurerm_role_management_policy" "tenant_root_mgmt_grp_owner_role_mgmt_pol" {
  

  scope              = "/providers/Microsoft.Management/managementGroups/${var.mg_id}"
  role_definition_id = "/providers/Microsoft.Authorization/roleDefinitions/${var.roles["Owner"].id}"

  eligible_assignment_rules {
    expiration_required = false
  }

  active_assignment_rules {
    expiration_required   = false
    require_justification = false
  }

  activation_rules {
    maximum_duration                   = "PT8H"
    require_multifactor_authentication = true
    require_justification              = true
    require_ticket_info                = true
    require_approval                   = true
    approval_stage {
      primary_approver {
        object_id = var.groups["ad.azure.admins"].id
        type      = "Group"
      }
    }
  }
  notification_rules {
    # Purpose: Sends notifications when users request to activate their eligible roles # When: Triggers on every PIM activation request    
    eligible_activations {
      # Notifies the person requesting activation
      assignee_notifications {
        notification_level    = "All"
        default_recipients    = true  # Include the requestor
        additional_recipients = [var.pim_slack_email]  # Also notify Slack channel
      }

      # Notifies the approvers who need to action the request      
      # approver_notifications {
      #   notification_level    = "Critical"
      #   default_recipients    = true  # Include configured approvers
      #   additional_recipients = [var.pim_slack_email]  # Also notify Slack channel
      # }

      admin_notifications {
        notification_level    = "Critical"
        default_recipients    = false  # Skip default admin notifications
        additional_recipients = [var.pim_slack_email]  # Only notify Slack channel
      }
    }

    # Purpose: Notifies when users are made eligible for roles
    # When: Triggers when PIM eligible roles are assigned
    eligible_assignments {
      admin_notifications {
        notification_level    = "Critical"
        default_recipients    = false  # Skip default admin notifications
        additional_recipients = [var.pim_slack_email]  # Only notify Slack channel
      }
    }

    # Purpose: Notifies when permanent role assignments are made    # When: Triggers for direct (non-PIM) role assignments
    active_assignments {
      admin_notifications {
        notification_level    = "Critical"
        default_recipients    = false  # Skip default admin notifications
        additional_recipients = [var.pim_slack_email]  # Only notify Slack channel
      }
    }
}
}
Azure Notification Hubs
Azure Notification Hubs
An Azure service that is used to send push notifications to all major platforms from the cloud or on-premises environments.
338 questions
Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
738 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
946 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. hossein jalilian 9,615 Reputation points
    2024-12-30T23:58:08.22+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    To enable notifications for PIM role activation requests to a Slack channel, you need to make a few adjustments to your Terraform configuration. Here's how you can modify your azurerm_role_management_policy resource to achieve this:

    • Ensure that the approver_notifications block is uncommented and properly configured:
    approver_notifications {
  notification_level    = "Critical"
  default_recipients    = true  # Include configured approvers
  additional_recipients = [var.pim_slack_email]  # Also notify Slack channel
}
    • Make sure the var.pim_slack_email variable is correctly set to the email address associated with your Slack channel.
    • Verify that the approval_stage block in the activation_rules is properly configured:
    approval_stage {
  primary_approver {
    object_id = var.groups["ad.azure.admins"].id
    type      = "Group"
  }
}
    • Ensure that the var.groups["ad.azure.admins"].id is correctly set to the Object ID of the Azure AD group containing your admins.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.