Forum Discussion
Solved
PAL with PIM
Hi, Is PAL tracking the ACR from the client's subscriptions, where my account is added as eligible for proper RBAC role but not having active assignment for most of the time?
I FINALLY heard back from the team on this one. I am not familiar with this content, but I hope it makes sense to you?
-------------------------------------------
If PIM isn’t active and the account is JIT-only, what’s the operational guidance for enabling PAL?
- PAL relies on active permissions, because it must identify partner-associated permissions on the customer tenant.
- JIT removes standing permissions, which creates a conflict unless PIM or another mechanism reactivates temporary privileged roles long enough for PAL to validate associations.
This is why customers on strict JIT/PIM-disabled models often cannot maintain PAL associations — and Microsoft does not currently offer an alternate mechanism
Hi Jill, any update 🙂
JillArmourMicrosoft
Community Manager
Community Managerhansweihe I'm so glad you pinged me on this again. I have sent the request a third time hoping for a response! Thanks for staying on me about this!