Privileged Access Management: List all active pam requests

I’ve recently worked in my demo lab with Microsoft Identity Manager 2016 (MIM) feature called Privileged Access Management (PAM) to prepare for workshops and a first implementation at a customer.

One thing that came to my mind was, how I can enable PAM Admins to see a list of all currently active PAM requests on the system.

Option 1 is to use PowerShell from the MIMPAM Module to get an overview:

Get-PAMUser | Get-PAMRequest –Active

Quite simple, right?

But I want some graphical version and since the good “old” MIM portal is also present in that scenario I tried to figure out on how to search only “Active” roles/requests.

Checking the attributes on PAM requests there is one called:

ExpirationProcessState (SystemName: msidmPamRequestExpirationProcessState)

If a user requests a role this attribute gets value: NotHandled

When the PAM requests expires or the user has canceled his own request before expiration time and the “expiration cleanup process” has removed the user from the PAM group(s) the attribute value is set to “Handled”

So Option 2 is to create a search scope for the “PAM requests” navigation of MIM portal.

I used the following XPath query on the search scope:

/msidmPamRequest[msidmPamRequestExpirationProcessedState = 'NotHandled']

Here are some screens on the rest of the search scope parameters:
(Don’t forget to do an IISReset in order to clear the Cache, after saving the search scope)







Author: Peter Stapf

Senior Consultant Identity and Access

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: