Share via

Set up notifications for Root Tenant Group assigments

Kaushik Ray 0 Reputation points
2024-12-12T19:00:49.8133333+00:00

Set up notifications for Root Tenant Group assigments azurerm_role_management_policy

I am trying to enable notification(email to slack channel) whenever someone requests for PIM role activiation. The slack channel contains the admins who can approve the request.

I am unable to fix this. Please advise how to enable the config ?

I am expecting this config should enable slack email when a user requests for PIM approval.

Here is the tf configs:

resource "azurerm_role_management_policy" "tenant_root_mgmt_grp_owner_role_mgmt_pol" {
  

  scope              = "/providers/Microsoft.Management/managementGroups/${var.mg_id}"
  role_definition_id = "/providers/Microsoft.Authorization/roleDefinitions/${var.roles["Owner"].id}"

  eligible_assignment_rules {
    expiration_required = false
  }

  active_assignment_rules {
    expiration_required   = false
    require_justification = false
  }

  activation_rules {
    maximum_duration                   = "PT8H"
    require_multifactor_authentication = true
    require_justification              = true
    require_ticket_info                = true
    require_approval                   = true
    approval_stage {
      primary_approver {
        object_id = var.groups["ad.azure.admins"].id
        type      = "Group"
      }
    }
  }
  notification_rules {
    # Purpose: Sends notifications when users request to activate their eligible roles # When: Triggers on every PIM activation request    
    eligible_activations {
      # Notifies the person requesting activation
      assignee_notifications {
        notification_level    = "All"
        default_recipients    = true  # Include the requestor
        additional_recipients = [var.pim_slack_email]  # Also notify Slack channel
      }

      # Notifies the approvers who need to action the request      
      # approver_notifications {
      #   notification_level    = "Critical"
      #   default_recipients    = true  # Include configured approvers
      #   additional_recipients = [var.pim_slack_email]  # Also notify Slack channel
      # }

      admin_notifications {
        notification_level    = "Critical"
        default_recipients    = false  # Skip default admin notifications
        additional_recipients = [var.pim_slack_email]  # Only notify Slack channel
      }
    }

    # Purpose: Notifies when users are made eligible for roles
    # When: Triggers when PIM eligible roles are assigned
    eligible_assignments {
      admin_notifications {
        notification_level    = "Critical"
        default_recipients    = false  # Skip default admin notifications
        additional_recipients = [var.pim_slack_email]  # Only notify Slack channel
      }
    }

    # Purpose: Notifies when permanent role assignments are made    # When: Triggers for direct (non-PIM) role assignments
    active_assignments {
      admin_notifications {
        notification_level    = "Critical"
        default_recipients    = false  # Skip default admin notifications
        additional_recipients = [var.pim_slack_email]  # Only notify Slack channel
      }
    }
}
}
Azure Notification Hubs
Azure Notification Hubs
An Azure service that is used to send push notifications to all major platforms from the cloud or on-premises environments.
334 questions
Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
727 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
939 questions
0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.