Understanding Azure Eligible Assignments and Permissions

Eligible assignments in Azure are based on the resource provider and the resource type.

To assign a role to a user, you need to have the "Microsoft.Authorization/roleAssignments/write" permission.

Permissions for eligible assignments are determined by the Azure role definitions.

The "Owner" role has the "Microsoft.Authorization/roleAssignments/write" permission, allowing them to assign roles to users.

To list eligible and time-bound role assignments, you can use the Azure portal. Sign in to the Azure portal and open the Access control (IAM) page, then select the Role assignments tab. You can filter the eligible and time-bound role assignments, group and sort by State, and look for role assignments that aren't the Active permanent type.

You can also use the Azure portal to review role assignments. Click Azure AD roles > Assignments to see the user you added, which will have a role assigned through PIM that needs to be activated. Under eligible assignments, you'll see the user you added, and under Active assignments, you'll see users who currently have roles.

To list eligible and time-bound role assignments using the Azure portal, follow these steps:

Alternatively, you can use the ARM API to list eligible and time-bound role assignments. For more information, see the PIM ARM API reference.

To create and manage assignments in Azure, you can use the RoleEligibilityScheduleRequest and RoleAssignmentScheduleRequest options. These options allow you to list eligible and time-bound role assignments.

You can also use the Azure portal to review role assignments. Click Azure AD roles > Assignments, and under eligible assignments, you'll see the users who have a role assigned through PIM that needs to be activated.

To update or remove an existing role assignment, follow these steps: Open Microsoft Entra Privileged Identity Management, select Azure resources, select the resource type you want to manage, and select the role that you want to update or remove. Find the role assignment on the Eligible roles or Active roles tabs, and select Add or View/Edit in the Condition column for the role assignment.

You can use Azure Policy to limit the creation of eligible or time-bound role assignments if your organization has process or compliance reasons to limit the use of Privileged Identity Management (PIM).

Azure Policy provides a way to enforce rules and regulations across your organization, ensuring that only authorized users can create eligible or time-bound role assignments.

To limit the creation of eligible or time-bound role assignments, you can create a custom policy that excludes specific identities or adds additional parameters and checks for other allow conditions.

The following roles can have conditions added: Storage Blob Data Contributor, Storage Blob Data Owner, and Storage Blob Data Reader.

You can also use Azure attribute-based access control (Azure ABAC) to add conditions on eligible role assignments using Microsoft Entra PIM for Azure resources.

Here are some limitations on role assignments:

Note that these limitations apply to built-in roles only, and may be subject to change in future updates.

You can convert eligible and time-bound role assignments to active permanent in your organization, but be aware that removing role assignments can potentially cause disruptions in your environment.

To convert these role assignments, you have two options: using the Azure portal or using PowerShell.

If you choose to use the Azure portal, you'll need to follow these steps: select the Eligible permanent, Eligible time-bound, and Active time-bound links for each role assignment, then select Active for the assignment type and Permanent for the assignment duration.

Alternatively, if you prefer to use PowerShell, you can follow these steps: retrieve and save the list of all eligible and time-bound role assignments, then use the New-AzRoleEligibilityScheduleRequest command to remove your eligible role assignments and the New-AzRoleAssignment command to create an active permanent role assignment.

It's essential to understand the impact of removing role assignments before you perform these steps, as it can cause disruptions in your environment.

Here's a summary of the steps to convert time-bound assignments to permanent:

Assignment conditions and eligibility are crucial components of Azure's Privileged Identity Management (PIM) feature. You can use Azure attribute-based access control (Azure ABAC) to add conditions on eligible role assignments using Microsoft Entra PIM for Azure resources.

With Microsoft Entra PIM, your end users must activate an eligible role assignment to get permission to perform certain actions. Conditions enable you to limit a user's role permissions to a resource using fine-grained conditions. This also allows you to secure the role assignment with a time-bound setting, approval workflow, audit trail, and so on.

You can add conditions to refine Azure resource access for specific roles, such as Storage Blob Data Owner, Storage Blob Data Reader, and Storage Blob Data Contributor. These roles can have conditions added to limit a user's role permissions to a resource using fine-grained conditions.

Some built-in roles can have conditions added, including Storage Blob Data Contributor, Storage Blob Data Owner, and Storage Blob Data Reader. However, currently, the following conditions are applied to these roles: a role assignment can't be assigned for a duration of less than five minutes, and a role assignment can't be removed within five minutes of it being assigned.

Here are some key details about assignment conditions and eligibility:

By using assignment conditions and eligibility, you can ensure that users only have access to the resources and permissions they need, when they need them. This helps to improve security and reduce the risk of unauthorized access.