Privileged Identity Management - Azure resources
Namespace: microsoft.graph
Important
APIs under the /beta
version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Caution
This version of the Privileged Identity Management (PIM) API for Azure resources will be deprecated soon. Please use the new Azure REST PIM API for Azure resource roles.
You can use Microsoft Entra Privileged Identity Management (PIM) for Azure resources to set up just-in-time access workflow for your Azure infrastructure roles at a management group, subscription, resource group, and resource level. These include built-in roles like Owner and Contributor as well as custom RBAC roles.
Common use cases for PIM and Azure resources using a REST API
Use case | Resource | See also |
---|---|---|
Onboard a resource (subscriptions, resource group, resource etc.) for PIM management, list all the managed resources requester have access to, and retrieve relationships of a managed resource. | governanceResource | Role discovery and management |
List all the roles for a resource or get details of a particular role in a specified resource. | governanceRoleDefinition | |
Retrieve all role settings for a resource or make an update to a role setting | governanceRoleSetting | Configure role setting |
List and export all role assignments for a resource. | governanceRoleAssignment | Export role assignments |
Create or remove an eligible or active role assignment, activate/deactivate an eligible assignment, view a list of pending requests, approve or deny a pending request or cancel your own pending request. | governanceRoleAssignmentRequest | Role Assignment Role activation Approve requests |
Migrate to the Azure Resource Manager PIM APIs for Azure resource roles
The PIM iteration 3 API to manage Azure resources is now available through the Azure Resource Manager REST APIs. Use this guidance to migrate your existing APIs to the new Azure Resource Manager APIs.
The following table describes how the Azure Resource Manager PIM APIs map to the existing Microsoft Graph APIs.
Operation | Microsoft Graph API (iteration 2) | Azure Resource Manager API (iteration 3) |
---|---|---|
Register a resource | Register | Resource Manager doesn't require resources to be explicitly registered or onboarded to be managed. You can perform operations by directly using the resource scope. |
List role definitions | List Role definitions | Role Definitions - List |
Create role assignment requests | Create governanceRoleAssignmentRequest | Use Role Eligibility Schedule Requests - Create to create eligible role assignments Use Role Assignment Schedule Requests - Create to create active role assignments |
List role assignments | List governanceRoleAssignments | Use Role Eligibility Schedule Instances - List to get eligible role assignments Use Role Assignment Schedule Instances - List to get active role assignments |
Manage Role Settings | List governanceRoleSettings Update governanceRoleSetting |
Manage policies through Azure Resource Manager |