Forum Discussion
Unified RBAC and Entra PIM
I'm interested in any experiences people have had with activating custom Unified RBAC roles using Entra ID PIM. We are currently doing something similar with a custom role in Defender for Office 365...
Gadi_Palatchi_MSFT
Microsoft
MicrosoftHello,
Thank you for posting this question.
My name is Gadi and I am the Unified RBAC Product Manager.
Referring to your question - yes, this is possible and is considered as one of the key values when using Unified RBAC as your centralized RBAC for all supported Defender products within the XDR Security portal.
1. Create a security group in Azure Entra ID that you wish to use it with PIM. For the example let's call it "SecOps Analysts PIM group". Do not add any members to that group.
2. Once you completed creating the group, on the left menu, under "Activity" click on the "Privileged Identity Management" and confirm this group to be used with PIM
3. Do not add at this point any member to the group
4. In Unified RBAC, create a custom role with the permission you intend to grant to users that will be added to the created security group. For the example: Security operations \ Alerts (manage).
5. Create a new assignment for this role and at the "Assignees" section select the security group that you have just created (you can search for it by its name).
6. Select the data sources you wish to include in this assignment (by default - all data sources will be included).
7. Submit and finish.
8 Activate Unified RBAC for the products you wish access to be enforced by Unified RBAC and from that point Unified RBAC will be active for these products.
9. Once you wish to grant users with the permissions defined in this role, from Entra ID add members to this particular security group and when asked define the time frame for their membership - JIT.
10. Allow ~10 minutes for this change to be effective in the XDR security portal and that's it.
I hope this helps.
Thank you for posting this question.
My name is Gadi and I am the Unified RBAC Product Manager.
Referring to your question - yes, this is possible and is considered as one of the key values when using Unified RBAC as your centralized RBAC for all supported Defender products within the XDR Security portal.
1. Create a security group in Azure Entra ID that you wish to use it with PIM. For the example let's call it "SecOps Analysts PIM group". Do not add any members to that group.
2. Once you completed creating the group, on the left menu, under "Activity" click on the "Privileged Identity Management" and confirm this group to be used with PIM
3. Do not add at this point any member to the group
4. In Unified RBAC, create a custom role with the permission you intend to grant to users that will be added to the created security group. For the example: Security operations \ Alerts (manage).
5. Create a new assignment for this role and at the "Assignees" section select the security group that you have just created (you can search for it by its name).
6. Select the data sources you wish to include in this assignment (by default - all data sources will be included).
7. Submit and finish.
8 Activate Unified RBAC for the products you wish access to be enforced by Unified RBAC and from that point Unified RBAC will be active for these products.
9. Once you wish to grant users with the permissions defined in this role, from Entra ID add members to this particular security group and when asked define the time frame for their membership - JIT.
10. Allow ~10 minutes for this change to be effective in the XDR security portal and that's it.
I hope this helps.
- Hello Gadi,
Thank you. My experience with defining a PIM group in Entra, and associating it with an MBO role in MDO, is that it takes approximately 50 minutes after activation to assign the permissions, not approximately ten minutes. This is why I am asking. Has this behavior in XDR been improved?- Gadi_Palatchi_MSFTThank you for this input.
Synching Azure Entra ID elevations to the XDR portal sometimes can be delayed. We will further investigate this behavior and will work on improving it in the future.- Hi Gadi,
Thank you. I want it to be clear that the latency issue was with the OLD role model under MDO. I'm much happier with the performance with the new RBAC model.
- For the benefit of others who are interested in this topic, I tested the assumption of Defender XDR permissions using Entra ID PIM and I am NOT having the same problem that I did with MDO roles. The permissions are being granted fairly quickly, mostly within ten minutes, or, or I log out and log back in, even more quickly.
