Forum Discussion

smereczynski's avatar
smereczynski
Copper Contributor
Sep 23, 2024
Solved

PAL with PIM

Hi, Is PAL tracking the ACR from the client's subscriptions, where my account is added as eligible for proper RBAC role but not having active assignment for most of the time?
benefits
incentives
  • JillArmourMicrosoft's avatar
    JillArmourMicrosoft
    Apr 15, 2026

    I FINALLY heard back from the team on this one. I am not familiar with this content, but I hope it makes sense to you? 

    -------------------------------------------

    If PIM isn’t active and the account is JIT-only, what’s the operational guidance for enabling PAL?

    • PAL relies on active permissions, because it must identify partner-associated permissions on the customer tenant.
    • JIT removes standing permissions, which creates a conflict unless PIM or another mechanism reactivates temporary privileged roles long enough for PAL to validate associations.

     

    This is why customers on strict JIT/PIM-disabled models often cannot maintain PAL associations — and Microsoft does not currently offer an alternate mechanism

ArielSep's avatar
ArielSep
Copper Contributor
Oct 13, 2025

Hello, I'm also interested in this, can you forward me the information as well?

Problem: All enterprise customers using JIT/PIM, and got told by Partner support that PIM access does not count towards Partner ACR (so, like the permanent access is the one that counts)
Also having to have Contributor to just "count" consumption towards a partner, does not follow least-privilege principle or Zero-Trust, and is hard if not impossible to convince security dep. for applying a permanent privileged role like contributor/owner to a subscription just for that.
Also common is customers using deployment pipelines, that one or multiple partners use to deploy to Production, where nobody have direct access to. (So, nobody will have "contributor" there, or maybe some people may have it but with PIM). Not only that the pipeline is managed by the customer, using a managed identity, but also being 1 identity and possible multiple partners, is impossible to tell customer to put only "your" Partner ID to this SPN.
Any customers running a security assessment can/will probably remove any permanent permission like this.

JillArmourMicrosoft's avatar
JillArmourMicrosoft
Icon for Community Manager rankCommunity Manager
Oct 13, 2025

ArielSep​ I am looking for someone the help with this. I will post a response when I can find one! 

  • pticku's avatar
    pticku
    Copper Contributor
    Dec 03, 2025

    JillArmourMicrosoft​ Any update on this? I am also interested in this.

    • JillArmourMicrosoft's avatar
      JillArmourMicrosoft
      Icon for Community Manager rankCommunity Manager
      Dec 05, 2025

      pticku​ I have tapped the team again for a response. I hope to hear back next week. Thank you for bringing this to my attention again. 

      • JillArmourMicrosoft's avatar
        JillArmourMicrosoft
        Icon for Community Manager rankCommunity Manager
        Dec 16, 2025

        pticku​ I have pinged them again, I apologize for the wait. I am doing all I can!