SCIMming with PIM for Groups

Posted by Harri Jaakkonen Posted on 02/04/2024
Posted in Azure, Entra ID, IAM, Identity, Microsoft Graph, PIM, Security

The process of creating Groups for PIM is super easy. Let’s go through it.

History

Before you had to assign roles to a particular user and they raised their permissions. Then you added the same role to another person and they did the same.

Well, that has changed. Now you can use Groups to assign the permissions and the group members will be able to elevate their rights when assigned to it.

If you are not using role-assigned groups, you can use this to activate the ownership or membership of a group under that is managed under PIM.

How to setup role-assigned?

It will work with Entra ID security and Microsoft 365 groups

The group does not have to be role-assignable group to be enabled in PIM for Groups.

But If you want to assign Entra ID roles to a group, it has to be role-assignable.

You can choose two ways to achieve this:

  • Create active user assignments to the group, then designate the group as being eligible for activation by giving it a role.
  • Make a role assignment to a group active and designate users who are eligible to join the group.

Now it’s possible to enable more than 500 groups per tenant in PIM, but only up to 500 groups can be role-assignable.

Entra ID role-assignable group feature is not part of Entra PIM. It requires Entra ID Premium P1 or P2 license.

Basically it means you will create a group that you can assign roles in but you will loose the Dynamic membership aspect and it can only be Assigned

Also one thing to note is that role-assignable groups can’t have other groups nested inside them.

Security group

Microsoft 365 groups

Inside Azure portal you can see the group creation like this for role-assigned groups.

And inside Microsoft 365 admin center it will look like this. You just have to make the group Private instead of Public.

Want to also point out the possibility to use Sensitivity labels inside a group, really nice feature.

Use sensitivity labels with Microsoft Teams, Microsoft 365 Groups, and SharePoint sites – Microsoft Purview (compliance)
Use sensitivity labels to protect content in SharePoint and Microsoft Teams sites, and Microsoft 365 groups.

Setup for non role-assigned groups?

And you can still create a group with roles assigned

And select Eligible or Active.

How to onboard them?

Once you have the group in place, you will see it in the portal https://entra.microsoft.com/#view/Microsoft_Azure_PIMCommon/CommonMenuBlade/~/quickStart

And you can onboard new groups from Discover groups, once you choose find the group that you want to add and choose Manage groups

If the group is already onboarded, you will see time it was onboarded

Verification will be asked and the group is onboarded to PIM for use

Once done, you will see it under Groups inside PIM. A group cannot be removed from management after it has been put under it. The removal of PIM settings by another resource administrator is therefore prevented.

Requesting access to a group

The user can then request to be a member or an owner of the group, depending on what you specified when assigning the permissions

When a membership or ownership is assigned, the assignment:

  • Can’t be assigned for a duration of less than five minutes
  • Can’t be removed within five minutes of it being assigned

Elevate rights with onboarded group

You can request role elevation with the group if it’s enabled for Role assignments or you have enabled PIM roles for individual users and they have active assignments.

For role-assigned groups admins will request their permissions just like before, no differences here.

Now when PIM for Groups is clear, we can see the On demand provisioning

On demand provisioning

How Long Does User Access Take?

There are two ways users get access to applications in Microsoft Entra ID:

  • Automatically: If a user is added to a group without using Privileged Identity Management (PIM), it takes up to 40 minutes for their access to be provisioned (connected) to the application. This happens automatically in the background.
  • On-demand: If a user activates their group membership using PIM, it takes 2-10 minutes for their access to be provisioned. However, if there are many users activating access at once, it might take longer (up to 40 minutes for the 6th user onwards within a 10-second period).

Additional Notes:

  • Even after provisioning, it might take some time for the application itself to recognize the user’s new access depending on its design.
  • You can set up alerts to be notified if there are any issues with user provisioning.
  • Removing access from a user doesn’t happen immediately, it takes up to 40 minutes during the next automatic synchronization cycle.

AWS Identity Center side

You can get your AWS account and try it out here https://docs.aws.amazon.com/accounts/latest/reference/welcome-first-time-user.html#getting-started-step1

See here for the Learn article

Tutorial: Configure AWS IAM Identity Center(successor to AWS single sign-On) for automatic user provisioning with Microsoft Entra ID – Microsoft Entra ID
Learn how to automatically provision and de-provision user accounts from Microsoft Entra ID to AWS IAM Identity Center.

I will visualize it a bit for convenience.

Once you the provisioning is enabled, you need to get SCIM endpoint address and Token.

When you generate the token, copy it. This is only time you will be able to do so.

Then you have to paste the scim url and token secret to Entra ID

Entra ID Enterprise Application

And you can see Group and Users in the mappings

Update the settings

And add users to the scope

Provision is 40mins by default and from this screen you can edit, start, restart or start On demand provisioning.

When we check AWS, we can see no users provisioned with SCIM

On Demand

With Provision on demand, you can provision only the users that are in the scope of the Application.

And you can see the reason the user was skipped

Once you add a user that is in the scope and provision them, you will see the attributes in the logs

And the user will appear in AWS user DB as created by SCIM

When we open the user, we can see the creation and update times.

And you can do the same for a Group

And magic!

We have a inside the Group in Entra ID.

And once the provisioning is started

You can see the status of it it

And from the log details what were processed with it. There is the Group too.

The group members will be provisioned, they don’t have to be directly assigned to the application but they have to be scoped through the group

Now the users and groups will be updated and created every 40 minutes. You cannot make the time lower than that but you can always Provision the users and group on Demand.

Activating and Deactivating Groups On Demand

Easy, just open my Groups and active, let it do it’s thing.

And magic! It took about 25 seconds from Activating the Group membership to been granted access with SCIM to the group inside AWS. The group was in AWS already, so it was faster!

And once the time that you can have the group for ended, you will automatically removed from the target resource.

And you can always manually deactivate it.

If we wait for the time we requested the role for, we can see it disappear from the AWS with SCIM, how cool is that!

Closure

That’s where Microsoft Entra PIM for groups comes in. It grants access just-in-time, like lending car keys for a specific trip. Less risk, more control. And user provisioning goes from 40 minutes to 2 or less like in my examples.

PIM automates tasks, freeing up IT for bigger things. Security and efficiency, hand in hand. That’s the power of PIM for groups.

Author: Harri Jaakkonen