Forum Discussion
PAL with PIM
Community Managersmereczynski I have sent this to the team and I will let you know what they respond back with.
Thanks for being part of the community!
Hello, I'm also interested in this, can you forward me the information as well?
Problem: All enterprise customers using JIT/PIM, and got told by Partner support that PIM access does not count towards Partner ACR (so, like the permanent access is the one that counts)
Also having to have Contributor to just "count" consumption towards a partner, does not follow least-privilege principle or Zero-Trust, and is hard if not impossible to convince security dep. for applying a permanent privileged role like contributor/owner to a subscription just for that.
Also common is customers using deployment pipelines, that one or multiple partners use to deploy to Production, where nobody have direct access to. (So, nobody will have "contributor" there, or maybe some people may have it but with PIM). Not only that the pipeline is managed by the customer, using a managed identity, but also being 1 identity and possible multiple partners, is impossible to tell customer to put only "your" Partner ID to this SPN.
Any customers running a security assessment can/will probably remove any permanent permission like this.
- JillArmourMicrosoft
ArielSep​ I am looking for someone the help with this. I will post a response when I can find one!