Privileged Access Management: PAM roles with approvals (Part 1)

Well, here is some more information from playing with my Privileged Access Management (PAM) demo lab of MIM 2016

Looking a little bit under the surface you will see there are some more options you can set on PAM roles, like the following:

  • RAM roles with approvals
  • PAM roles with a valid time span (e.g. 8:00 to 17:00)
  • PAM roles with Azure MFA authentication
  • PAM roles requesting in the future (e.g. Role request for tomorrow)

This part is regarding PAM roles with approvals, there will be more posts regarding the other options in the near future.

PAM role with Azure MFA are described well here:
Note: Currently only Phone authentication is possible with PAM and MFA (no SMS, App)

First, just some warning when working with PAM roles:

You should always create/edit/remove PAM role with the PowerShell modules that came with the MIMPAM module (or the RestAPI of course)!

If you change PAM roles for example within the MIM portal you may experience strange behavior, like I did when I try to activate a PAM role for approval. In my case using portal leads to the error that I’m not able to approve the request through portal or PowerShell, instead I getting an invalid ID error.

PAM roles with approvals:

Assuming to have already setup a PAM role named “SQLAdmins” do the following to activate approval on that role.

$pamrole = Get-PAMRole -DisplayName "SQLAdmins"
$pamuser = Get-PAMUser -SourceAccountName "peter"
Set-PAMRole -Role $pamrole -ApprovalEnabled $true -Approvers $pamuser


The Requestor can then request the role through the Sample Portal or via PowerShell:

Import-module MIMPAM
$pamrole = Get-PAMRoleForRequest | where { $_.DisplayName –eq "SQLAdmins" }
New-PAMRequest –role $pamrole



After that the approver can accept or reject the request through Sample Portal or PowerShell:

Import-Module MIMPAM
$request=Get-PAMRequestToApprove | where { $_.RoleName -eq "SQLAdmins" }
Set-PAMRequestToApprove -Request $request –Approve



The requestor can list the pending approval via Portal or PowerShell:

Get-PAMRequestForReview –Pending (or –Rejected)



After approval should see the activated role through Sample Portal or PowerShell:

Get-PAMRequestForReview –Active




I’m still having some issues on approve requests through PowerShell, when I’m getting a response from PG I will let you know.
Currently Set-PAMRequestToApprove throws the following error:
(Even setting the server name in hosts file does not work)

Set-PAMRequestToApprove -Request $request -Approve
Set-PAMRequestToApprove : There was no endpoint listening at
http://pamserver:5726/ResourceManagementService/WorkflowManager/b501680a-d2d9-44c2-8508-2b22b2b9a856/13 that could
accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.

At line:1 char:1
+ Set-PAMRequestToApprove -Request $request -Approve
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo         : NotSpecified: (:) [Set-PAMRequestToApprove], EndpointNotFoundException
+ FullyQualifiedErrorId : GeneralServerError,Microsoft.IdentityManagement.RequestorPamCmdlets.Commands.SetPamRequestToApprove

Got a hint from PG and it seems that I used a short name instead of a FQDN while installing MIMService and MIM PAM client add-in and extension. Did a change mode install and cmdlet works fine now.


About Peter Stapf
Senior Consultant Identity and Access MVP (Enterprise Mobility)

9 Responses to Privileged Access Management: PAM roles with approvals (Part 1)

  1. Pingback: Privileged Access Management: PAM roles with time span and future requests (Part 2) | JustIDM

  2. Erich Karch says:

    Perfect! The exact information for which I was looking!

  3. George says:

    Creates automated customized desktop icon on the user desktop profile – customizable on user based category. how we will do this

  4. Hi Peter,
    Thanks for the article.

    When I make a request for future access, it is being executed now!


  5. Stephen says:

    Thanks for this, I have removed and recreated my PAM roles using PS, Without approval it works, when I add an Approvers and ApprovalEnabled (again PS) the Web page throws: Oops! Something went wrong. The ajax calls failed, please contact your administrator. Status code: 500. Error: Internal Server Error.
    I did have this working at one point, the it stopped. I have recreated the Web site, but lost how to proceed.

    • Stephen says:

      I finally found the answer to this. Email! if SharePoint failed to send an email, then the work flow completely breaks down and you get this meaningless Status code: 500. Error: Internal Server Error.

  6. Michael Burutzis says:

    Hey Peter, great article. It helped a lot, especially the part where you mention to us PS at all times.
    When creating a new PAM Role, how do you add multiple candidates within the powershell new-PAMRole cmdlet? I can do it with one user, but can’t really add two. Any tips on this?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: