Privileged Access Management: PAM roles with approvals (Part 1)

Well, here is some more information from playing with my Privileged Access Management (PAM) demo lab of MIM 2016

Looking a little bit under the surface you will see there are some more options you can set on PAM roles, like the following:

• RAM roles with approvals
• PAM roles with a valid time span (e.g. 8:00 to 17:00)
• PAM roles with Azure MFA authentication
• PAM roles requesting in the future (e.g. Role request for tomorrow)

This part is regarding PAM roles with approvals, there will be more posts regarding the other options in the near future.

PAM role with Azure MFA are described well here:
https://technet.microsoft.com/en-us/library/mt517876.aspx
Note: Currently only Phone authentication is possible with PAM and MFA (no SMS, App)

First, just some warning when working with PAM roles:

You should always create/edit/remove PAM role with the PowerShell modules that came with the MIMPAM module (or the RestAPI of course)!

If you change PAM roles for example within the MIM portal you may experience strange behavior, like I did when I try to activate a PAM role for approval. In my case using portal leads to the error that I’m not able to approve the request through portal or PowerShell, instead I getting an invalid ID error.

PAM roles with approvals:

Assuming to have already setup a PAM role named “SQLAdmins” do the following to activate approval on that role.

$pamrole = Get-PAMRole -DisplayName "SQLAdmins"
$pamuser = Get-PAMUser -SourceAccountName "peter"
Set-PAMRole -Role $pamrole -ApprovalEnabled $true -Approvers $pamuser

 

The Requestor can then request the role through the Sample Portal or via PowerShell:

Import-module MIMPAM
$pamrole = Get-PAMRoleForRequest | where { $_.DisplayName –eq "SQLAdmins" }
New-PAMRequest –role $pamrole

 

After that the approver can accept or reject the request through Sample Portal or PowerShell:

Import-Module MIMPAM
$request=Get-PAMRequestToApprove | where { $_.RoleName -eq "SQLAdmins" }
Set-PAMRequestToApprove -Request $request –Approve

 

The requestor can list the pending approval via Portal or PowerShell:

Get-PAMRequestForReview –Pending (or –Rejected)

 

After approval should see the activated role through Sample Portal or PowerShell:

Get-PAMRequestForReview –Active

 

Note:

I’m still having some issues on approve requests through PowerShell, when I’m getting a response from PG I will let you know.
Currently Set-PAMRequestToApprove throws the following error:
(Even setting the server name in hosts file does not work)

Set-PAMRequestToApprove -Request $request -Approve
Set-PAMRequestToApprove : There was no endpoint listening at
http://pamserver:5726/ResourceManagementService/WorkflowManager/b501680a-d2d9-44c2-8508-2b22b2b9a856/13 that could
accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.

At line:1 char:1
+ Set-PAMRequestToApprove -Request $request -Approve
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo         : NotSpecified: (:) [Set-PAMRequestToApprove], EndpointNotFoundException
+ FullyQualifiedErrorId : GeneralServerError,Microsoft.IdentityManagement.RequestorPamCmdlets.Commands.SetPamRequestToApprove

Update:
Got a hint from PG and it seems that I used a short name instead of a FQDN while installing MIMService and MIM PAM client add-in and extension. Did a change mode install and cmdlet works fine now.