Configure Entra PIM and Directory Roles

Overview

Managing access to PIM roles in Entra ID can be a complex and challenging task for any organisation. The default Microsoft view gives limited visibility over which users are assigned to what PIM role, and how many PIM roles are assigned to the user. Apporetum solves these challenges by pulling this information from Azure and putting it into an app. This allows Apporetum to provide real-time insights and out-of-the-box reporting on the usage of PIM roles.

Setting up Entra PIM / Directory Roles

1. In the Apporetum navigation Menu, click Access -> Apps
2. Select Configure App on the top left of Apporetum

3. Select an Entra ID data source
4. Select either Entra PIM or Directory Roles

note

Entra PIM vs Directory Roles

Both Entra PIM and Directory Roles access types serve the same purpose in Apporetum. The difference between which access type you choose is dependent on the type of licensing your Azure tenant is using.

• Entra PIM - This access type requires an Azure P2 license to use.
• Directory Roles - This access type does not require a license to use.

Both Entra PIM and Directory Roles access types uses the RoleManagement.Read.All permission. This permission allows the app to read the RBAC settings for all RBAC providers, on behalf of the signed-in user. This includes reading role definitions and role assignments.

This permission is a Read-only role and will not make any changes to the directory.

1. Fill out a Friendly Name for the app
2. Fill out a Description for the app

7. Choose one or more Owners
8. Choose one or more Access Providers
9. Choose one or more Access Approvers
10. Choose one or more Access Reviewers

11. Select Save Changes

Configuring Roles

After the initial app setup has been complete, you will need to configure the roles that Apporetum will report on.

There are two options located at the rop right:

• Adopt All Roles
• Add Role

Adopt All Roles

Selecting the Adopt All Roles setting will automatically pull all Entra ID PIM roles into the app. This setting is useful when you want to gather insights and reporting on all PIM roles. A list of roles that are imported can be found here..

If choosing to Adopt All Roles continue to the Membership Configuration Section

Add Role

Selecting the Add Role setting allows users to specify which Entra ID PIM role to be added into the app. This setting is useful when you want to report on specific PIM roles such as "Global Admin".

To add specific PIM Roles:

1. Select Add Role
2. Provide a Friendly Name - This should be the name of the PIM role
3. Provide a Description - This should be a description of the PIM role
4. Provide a Short Description - This can be the name of the PIM role

5. Under the Group setting, select the PIM role to be added

Membership Configuration

Once you have selected to Adopt All Roles or Add Role, follow the membership configuration:

1. Set Approval Required to Off
2. Turn Trusted Role to On
3. Set the Reconciliation Period to 1 Day
4. Turn Keep Synced to On
5. Set Access Expires to Never

6. Set the Guardrail Type to None

7. Save the configuration

Insights

Once an app is set up for PIM roles, Apporetum delivers advanced out-of-the-box insights while also enabling users to build custom queries and reports tailored to your organisation’s needs.

To access these insights:

1. Navigate and select the app that was created for Entra PIM roles

2. Navigate to the Insights tab

3. These automatically generated insights provides a real-time view of the accounts scoped to this app

   

Apporetum can drill down and provide further telemetry to individual PIM roles. This can be achieved by:

1. Navigate to the App Roles Tab

2. Select the following PIM role you wish to investigate further

   

3. Navigate to the Insights tab for the PIM Role