Converting Azure Resource RBAC to PIM via PowerShell

New Contributor

Hi all
I'm looking at converting PIM permissions from Azure RBAC to PIM permissions
I have written a PowerShell script to do this - which works, however the only issue I've come across is defining scope on the PIM permission




#Connect to Azure
Import-Module AzureADPreview

#Azure sub variables and set Azure sub
Set-AzContext -Subscription $prd

#Get set Azure sub Name and ID
$env = (Get-AzContext).Subscription.Name
$subscriptionId = (Get-AzContext)

#SignInName Variables
$Email = ""

#Make Directory
cd -Path C:/Temp  
mkdir -force $email/$env

#Fetch Azure Permissions
Get-AzRoleAssignment -SignInName $Email -ExpandPrincipalGroups | Select-Object -Property DisplayName, Scope, RoleDefinitionName, RoleDefinitionId, RoleAssignmentId | Export-Csv -notypeinformation C:/Temp/$email/$env/AzurePerms.csv

#Store IDs into variables
$AzurePIM = Import-Csv C:/Temp/$email/$env/AzurePerms.csv 

#Convert IDs into PIM IDS
$targetuserID = (Get-AzureADUser -ObjectId $email).ObjectId
$SubscriptionPIMID = (Get-AzureADMSPrivilegedResource -ProviderId 'AzureResources' -Filter "ExternalId eq '/subscriptions/$subscriptionID'").Id
$tenantID = "<tenant id>"

#Set Schedules
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.StartDateTime = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$Schedule.endDateTime = (Get-Date).AddMonths(6).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
#Create the eligible role assignment
ForEach ($Row in $AzurePIM)
    #For every role definition id
    $RoleDefId = $Row.RoleDefinitionId
    #Convert to a PIM ID
    $RoleDefinitionPIMID = (Get-AzureADMSPrivilegedRoleDefinition -ProviderId 'AzureResources' -Filter "ExternalId eq '/subscriptions/$subscriptionID/providers/Microsoft.Authorization/roleDefinitions/$RoleDefid'" -ResourceId $subscriptionPIMID).Id
 #Assign that role
    Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'AzureResources' -ResourceId $SubscriptionPIMID -RoleDefinitionId $RoleDefinitionPIMID -SubjectId $targetuserid -Type 'adminAdd' -AssignmentState 'Eligible' -schedule $schedule -reason "testing"
    #And loop




I've removed some information, stuff that's not relevant, the issue lies within line 43 and 45, more specifically the -ResourceId switch.

The script serves two purposes largely, it'll store the list of permissions of the user in a csv (audit purposes) as well as going through that csv and converting the permissions defined.

In that csv the Scope is defined, however so far I've been unable to enter that scope into the PIM assignment lines.

Just wondering if anyone has came across anything similar before and is able to advise?
Thank you.

1 Reply


I've added some more lines to find the resource id, I believe the issue at first was subscriptions don't have a ResourceID, so it needed an if statement to match the subscriptionid variable to the scope column in the csv

I've added that if statement however no luck in getting them all to apply at a subscription level - it only seems to be running the else section, and not the if.


ForEach ($Row in $AzurePIM)
If ($Row.Scope -match "/subscriptions/$subscriptionID") {
    #For every role definition id
    $RoleDefId = $Row.RoleDefinitionId
    #Convert to a PIM ID
    $RoleDefinitionPIMID = (Get-AzureADMSPrivilegedRoleDefinition -ProviderId 'AzureResources' -Filter "ExternalId eq '/subscriptions/$subscriptionID/providers/Microsoft.Authorization/roleDefinitions/$RoleDefid'" -ResourceId $subscriptionPIMID).Id
    #Assign that role
    Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'AzureResources' -ResourceId "$subscriptionPIMID" -RoleDefinitionId $RoleDefinitionPIMID -SubjectId $TargetUserID2 -Type 'adminAdd' -AssignmentState 'Eligible' -schedule $schedule -reason "testing"
Else {
    #For every role definition id and Scope
    $RoleDefId = $Row.RoleDefinitionId,
    $ResId = $Row.Scope
    #Convert to a PIM ID
    $ResPIMID = (Get-AzureADMSPrivilegedResource -ProviderId 'AzureResources' -Filter "ExternalId eq '$ResId'").Id
    $RoleDefinitionPIMID = (Get-AzureADMSPrivilegedRoleDefinition -ProviderId 'AzureResources' -Filter "ExternalId eq '/subscriptions/$subscriptionID/providers/Microsoft.Authorization/roleDefinitions/$RoleDefid'" -ResourceId "$ResId").Id
    #Assign that role
    Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'AzureResources' -ResourceId $ResPIMID -RoleDefinitionId $RoleDefinitionPIMID -SubjectId $TargetUserID2 -Type 'adminAdd' -AssignmentState 'Eligible' -schedule $schedule -reason "testing"