Forum Discussion
PAL with PIM
Hi,
Is PAL tracking the ACR from the client's subscriptions, where my account is added as eligible for proper RBAC role but not having active assignment for most of the time?
4 Replies
Following up on this, what is the recommendation for enabling PAL when most customers environments are following the recommended JIT and least privilege model and 99% of the time PIM is not active, and there for the account that was linked PAL doesn't have permissions active.
- JillArmourMicrosoft
Community Manager
smereczynski I have sent this to the team and I will let you know what they respond back with.
Thanks for being part of the community!Hello, I'm also interested in this, can you forward me the information as well?
Problem: All enterprise customers using JIT/PIM, and got told by Partner support that PIM access does not count towards Partner ACR (so, like the permanent access is the one that counts)
Also having to have Contributor to just "count" consumption towards a partner, does not follow least-privilege principle or Zero-Trust, and is hard if not impossible to convince security dep. for applying a permanent privileged role like contributor/owner to a subscription just for that.
Also common is customers using deployment pipelines, that one or multiple partners use to deploy to Production, where nobody have direct access to. (So, nobody will have "contributor" there, or maybe some people may have it but with PIM). Not only that the pipeline is managed by the customer, using a managed identity, but also being 1 identity and possible multiple partners, is impossible to tell customer to put only "your" Partner ID to this SPN.
Any customers running a security assessment can/will probably remove any permanent permission like this.- JillArmourMicrosoft
ArielSep​ I am looking for someone the help with this. I will post a response when I can find one!
