Forum Discussion
Solved
PAL with PIM
Hi, Is PAL tracking the ACR from the client's subscriptions, where my account is added as eligible for proper RBAC role but not having active assignment for most of the time?
I FINALLY heard back from the team on this one. I am not familiar with this content, but I hope it makes sense to you?
-------------------------------------------
If PIM isn’t active and the account is JIT-only, what’s the operational guidance for enabling PAL?
- PAL relies on active permissions, because it must identify partner-associated permissions on the customer tenant.
- JIT removes standing permissions, which creates a conflict unless PIM or another mechanism reactivates temporary privileged roles long enough for PAL to validate associations.
This is why customers on strict JIT/PIM-disabled models often cannot maintain PAL associations — and Microsoft does not currently offer an alternate mechanism
Following up on this, what is the recommendation for enabling PAL when most customers environments are following the recommended JIT and least privilege model and 99% of the time PIM is not active, and there for the account that was linked PAL doesn't have permissions active.