Azure AD Role Assignment

Hey Valiant,

I have replied to your service request as well:

It doesn't look like this can be configured on the 1IM side of things, out of box.

As the documentation states, "Administrator roles are loaded into One Identity Manager by synchronization. You can edit individual master data of administrator roles but cannot create new administrator roles in One Identity Manager."

So I think any change of assignment type has to be done on the Azure side of things.

Although, I suppose it would be possible to add a custom column that could be mapped to the applicable attribute in Azure, and do it that way.

Trevor

Hey Valiant,

I have replied to your service request as well:

It doesn't look like this can be configured on the 1IM side of things, out of box.

As the documentation states, "Administrator roles are loaded into One Identity Manager by synchronization. You can edit individual master data of administrator roles but cannot create new administrator roles in One Identity Manager."

So I think any change of assignment type has to be done on the Azure side of things.

Although, I suppose it would be possible to add a custom column that could be mapped to the applicable attribute in Azure, and do it that way.

Trevor

In addition to Trevor's reply, the assignment type you are referring to is part of Azure Active Directory (Azure AD) Privileged Identity Management (PIM) feature set which is an additional package in Azure and is currently not implemented in the current release version of the Graph API by Microsoft (only in the BETA stream). So currently, it is not supported OOTB to set the assignment type differently.

Trevor/Markus, thanks for the info.

Valiant

Hi Markus,

I am going to work on a very related topic and was wondering if you have any news regarding the status of the MS API and wether it supports eligible by now?

Thanks and Kind Regards, Dirk

Sorry, I currently have no further information on the status of the MS API.

Hi Markus,

The integration / support of eligible Azure roles is also of interest to me. Could you please let me know what is the plan of supporting these ?

In other thread I read an input from you that the PIM integration is tracked under the 30698 id. Was this only in regards to Azure guest accounts (which are now part of 8.2 or also for the eligible Azure roles administration meant?

Thanks and best regards,

Igor

30698 hence PIM support is still not part of the official MS API. In contrary the original MS Beta API has stopped working May 31, 2021 and has been replaced by a new MS Beta API.

Just as a reminder why we are trying to prevent Beta APIs. This is the statement from Microsoft about the new API (https://docs.microsoft.com/en-us/graph/api/resources/rolemanagement?view=graph-rest-beta&preserve-view=true) (I have highlighted the important part).

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Thank you, so to summerize, there will be no plans on the OI side to start implementing this as long as the Rest Graph API is in Beta?:

https://docs.microsoft.com/en-us/graph/api/resources/rolemanagement?view=graph-rest-beta&preserve-view=true

 What is a realistic time frame, after the Rest Graph API is officially released from Microsoft to expect the support for this in one of the future OIM versions? Is assuming 6 to 12 months realistic so it can fit in some of the upcomming versions?

This would help us with some mid term planing here.

Sorry, but I am unable to tell you anything about future planning around this topic. We are having this in our backlog and monitoring this closely is the best I can tell you at the moment.

If you want to know more about future plans you need to contact our product manager.