Forum Discussion
PAL with PIM
Hi,
Is PAL tracking the ACR from the client's subscriptions, where my account is added as eligible for proper RBAC role but not having active assignment for most of the time?
I FINALLY heard back from the team on this one. I am not familiar with this content, but I hope it makes sense to you?
-------------------------------------------
If PIM isn’t active and the account is JIT-only, what’s the operational guidance for enabling PAL?
- PAL relies on active permissions, because it must identify partner-associated permissions on the customer tenant.
- JIT removes standing permissions, which creates a conflict unless PIM or another mechanism reactivates temporary privileged roles long enough for PAL to validate associations.
This is why customers on strict JIT/PIM-disabled models often cannot maintain PAL associations — and Microsoft does not currently offer an alternate mechanism
15 Replies
- JillArmourMicrosoft
Community Manager
I FINALLY heard back from the team on this one. I am not familiar with this content, but I hope it makes sense to you?
-------------------------------------------
If PIM isn’t active and the account is JIT-only, what’s the operational guidance for enabling PAL?
- PAL relies on active permissions, because it must identify partner-associated permissions on the customer tenant.
- JIT removes standing permissions, which creates a conflict unless PIM or another mechanism reactivates temporary privileged roles long enough for PAL to validate associations.
This is why customers on strict JIT/PIM-disabled models often cannot maintain PAL associations — and Microsoft does not currently offer an alternate mechanism
Thanks Jill, unfortunately this is the same information I had, that PAL is not compatible and/or does not follows Microsoft security best practices, requiring a permanent permission that currently companies are removing.
- JillArmourMicrosoft
Oh, well that's helpful then. 🙃 That is what the team shared back to me in response. I'm afraid I don't have any other strings to pull.
Following up on this, what is the recommendation for enabling PAL when most customers environments are following the recommended JIT and least privilege model and 99% of the time PIM is not active, and there for the account that was linked PAL doesn't have permissions active.
- JillArmourMicrosoft
smereczynski I have sent this to the team and I will let you know what they respond back with.
Thanks for being part of the community!Hello, I'm also interested in this, can you forward me the information as well?
Problem: All enterprise customers using JIT/PIM, and got told by Partner support that PIM access does not count towards Partner ACR (so, like the permanent access is the one that counts)
Also having to have Contributor to just "count" consumption towards a partner, does not follow least-privilege principle or Zero-Trust, and is hard if not impossible to convince security dep. for applying a permanent privileged role like contributor/owner to a subscription just for that.
Also common is customers using deployment pipelines, that one or multiple partners use to deploy to Production, where nobody have direct access to. (So, nobody will have "contributor" there, or maybe some people may have it but with PIM). Not only that the pipeline is managed by the customer, using a managed identity, but also being 1 identity and possible multiple partners, is impossible to tell customer to put only "your" Partner ID to this SPN.
Any customers running a security assessment can/will probably remove any permanent permission like this.- JillArmourMicrosoft
ArielSep I am looking for someone the help with this. I will post a response when I can find one!
