Azure AD PIM integration with ISC

adamslamena · February 7, 2025, 2:19pm

Dear developers,

we are in the process of integrating our Privileged Role management on Azure with our Identity Security Cloud solution.
We are utilizing the standard Azure AD connector.
So far we have been able to load in all the privileged roles (below an example) :

The attributes on which is eligible and which is an active assignment is split per entitlement.

Anyways, now we would like to establish the provisioning from IAM.
When assigning an active assignment, the role is added for 6 months.

We need to modify this default value.
When checking the documentation, it says :

activeRoleExpiresAfter

Specifies the default duration for which Azure and Microsoft Entra ID Active roles must be assigned to user. The values must be in the ISO_8601 format.

For example, if eligible role must be assigned for 10 Hours, use

But where should we update this Value ?
I have looked into the source configuration and have not found any “activeRoleExpires” attribute there.
Also, we do not have any settings on Azure that would enforce it.

Has any of you integrated with PIM before ?

Thanks for any pointers.

arjun_sengupta · February 13, 2025, 10:54pm

HI Adam,

Agreed, Not able to add it.

Created a ticket for it.

Opening a support ticket may also help.

Regards
Arjun

adamslamena · February 19, 2025, 2:08pm

Hi Arjun,

thank you for your response.

I opened a ticket with the support and I was informed I need to create it in a cloud rule.

The documentation should then definitely be reviewed as it is implying we can add the attributes in a provisioning policy.

BR
Adam

mjos · April 15, 2025, 12:50pm

Hi Adam,
Have been able to configure the settings for Entra ID PIM provisioning policy attributes via rules in ISC.
Currently, I want to set eligible roles align to users permanently rather than getting expire after a fixed duration.

Do you have some suggestion on how to achieve it?

BR
Manish

adamslamena · April 16, 2025, 12:01pm

Hi Manish,

You have to create a cloud beforeprovisioning rule to have the attributes set.
I will see if I can get the code for how we constructed it

mjos · April 17, 2025, 8:44am

Hi @adamslamena
Thanks a lot for revert.

It would be great help if I get some overview with your code.

adamslamena · April 22, 2025, 12:56pm

Hello Manish,

see a snippet from our code

<![CDATA[
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.Attributes;
import java.util.HashMap;
import java.util.Map;

// Log rule execution
log.info("Executing Before Provisioning Rule for all applications");

    // Iterate over all account requests in the provisioning plan
    for (AccountRequest accountRequest : plan.getAccountRequests()) {

      // Iterate over all AttributeRequests
      for (AttributeRequest attributeRequest : accountRequest.getAttributeRequests()) {

          // Target azureADActiveRoles and azureADEligibleRoles AttributeRequests
          if ("azureADActiveRoles".equals(attributeRequest.getName()) ||
              "azureADEligibleRoles".equals(attributeRequest.getName())) {

            // Create MAP duuuuuh
            Map argsMap = new HashMap();
            argsMap.put("duration", "permanent");

            // Wrap the MAP inside Attributes object
            Attributes attributes = new Attributes();
            attributes.putAll(argsMap);

            // Set arguments in the attribute request
            attributeRequest.setArguments(attributes);

            // Log for testing
            log.info("Successfully set duration to: permanent");
          }
      }
    }
  ]]>

mjos · April 22, 2025, 1:36pm

Thanks a lot Adam for taking out time and sharing this.