EntraID PIM Roles Management

Sushantmr · October 24, 2025, 3:20pm

Hello,

I’m working on provisioning Entra ID PIM eligible roles through SailPoint Identity Security Cloud. I’ve successfully configured the process to add and remove users from PIM eligible roles. However, I’m encountering an issue where SailPoint assigns an end time of one year when adding users to these roles. My goal is to make these assignments permanent, not time-bound.

Based on the documentation ( Azure PIM Provisioning Policy ), it seems that setting the duration attribute to “permanent” should achieve this. Unfortunately, the documentation doesn’t provide guidance on how to properly configure this attribute. I attempted to use the Services Standard Before Provisioning Rule to set the duration, but it didn’t work as expected. While I can confirm that attributes like givenName are being updated, the eligible role assignment still defaults to a one-year duration.

{
   "eventConfigurations":[
      {
         "eventActions":[
            {
               "Action":"AddArgument",
               "Attribute":"duration",
               "Value":"permanent"
            },
            {
               "Action":"UpdateAttribute",
               "Attribute":"givenName",
               "Value":"#{identity.firstname}"
            }
         ],
         "Entitlement Update Triggers":[
            {
               "Attribute":"azureADEligibleRoles",
               "Value":"*",
               "Operation":"Add"
            }
         ],
         "Operation":"Modify"
      }
   ]
}

Has anyone successfully used SSBPR to make PIM eligible role assignments permanent? If so, could you share how you configured the duration attribute or any other approach that worked for you?

Thanks.

Muhammadawais12 · October 28, 2025, 3:18pm

Hi Sushant! I have done this in SailPoint IIQ using BeforeProvisioning Rule. Below is the rule that should work. Please update it accordingly for ISC.

// Iterate through each account request in the provisioning plan
for ( AccountRequest accountRequest : plan.getAccountRequests() ) {
  // Go through each attribute request in the account request
  if (plan.getAccountRequests() != null) {
    
  for (AttributeRequest attrReq : accountRequest.getAttributeRequests()) {
    String name = attrReq.getName();
    String operation = attrReq.getOperation().toString();
    
    // Check if attribute name is azureADEligibleRoles and operation is Add
    if ("azureADEligibleRoles".equals(name) && "Add".equals(operation)) {
      
      String duration = "permanent";
      String justification = "testing duration";

      Map attrs = new HashMap();
      attrs.put("duration", duration);
      attrs.put("justification", justification);
      
      Attributes attributes = new Attributes();
      attributes.putAll(attrs);

      attrReq.setArguments(attributes);
    }
  }

      }
    } else {
      log.debug("No account requests found in the provisioning plan.");
    }

system · December 27, 2025, 3:18pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Azure AD PIM integration with ISC ISC Discussion and Questions identity-security-cloud , connectors	8	325	June 21, 2025
Azure PIM Provisioning Policy Connectivity Documentation Feedback va-con-docs , microsoft-con-docs	9	153	October 28, 2025
Entra Roles Management - Eligible and Active Roles Assignment Capability ISC Discussion and Questions identity-security-cloud , connectors	3	94	June 2, 2025
Entra ID integration for PIM roles ISC Discussion and Questions identity-security-cloud , provisioning , connectors	1	51	March 4, 2026
Azure PIM Integration with ISC ISC Discussion and Questions identity-security-cloud	2	257	May 5, 2024

EntraID PIM Roles Management

Related topics