Privileged Access Management: PAM roles with approvals (Part 1)

Well, here is some more information from playing with my Privileged Access Management (PAM) demo lab of MIM 2016

Looking a little bit under the surface you will see there are some more options you can set on PAM roles, like the following:

  • RAM roles with approvals
  • PAM roles with a valid time span (e.g. 8:00 to 17:00)
  • PAM roles with Azure MFA authentication
  • PAM roles requesting in the future (e.g. Role request for tomorrow)

This part is regarding PAM roles with approvals, there will be more posts regarding the other options in the near future.

PAM role with Azure MFA are described well here:
Note: Currently only Phone authentication is possible with PAM and MFA (no SMS, App)

First, just some warning when working with PAM roles:

You should always create/edit/remove PAM role with the PowerShell modules that came with the MIMPAM module (or the RestAPI of course)!

If you change PAM roles for example within the MIM portal you may experience strange behavior, like I did when I try to activate a PAM role for approval. In my case using portal leads to the error that I’m not able to approve the request through portal or PowerShell, instead I getting an invalid ID error.

PAM roles with approvals:

Assuming to have already setup a PAM role named “SQLAdmins” do the following to activate approval on that role.

$pamrole = Get-PAMRole -DisplayName "SQLAdmins"
$pamuser = Get-PAMUser -SourceAccountName "peter"
Set-PAMRole -Role $pamrole -ApprovalEnabled $true -Approvers $pamuser


The Requestor can then request the role through the Sample Portal or via PowerShell:

Import-module MIMPAM
$pamrole = Get-PAMRoleForRequest | where { $_.DisplayName –eq "SQLAdmins" }
New-PAMRequest –role $pamrole



After that the approver can accept or reject the request through Sample Portal or PowerShell:

Import-Module MIMPAM
$request=Get-PAMRequestToApprove | where { $_.RoleName -eq "SQLAdmins" }
Set-PAMRequestToApprove -Request $request –Approve



The requestor can list the pending approval via Portal or PowerShell:

Get-PAMRequestForReview –Pending (or –Rejected)



After approval should see the activated role through Sample Portal or PowerShell:

Get-PAMRequestForReview –Active




I’m still having some issues on approve requests through PowerShell, when I’m getting a response from PG I will let you know.
Currently Set-PAMRequestToApprove throws the following error:
(Even setting the server name in hosts file does not work)

Set-PAMRequestToApprove -Request $request -Approve
Set-PAMRequestToApprove : There was no endpoint listening at
http://pamserver:5726/ResourceManagementService/WorkflowManager/b501680a-d2d9-44c2-8508-2b22b2b9a856/13 that could
accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.

At line:1 char:1
+ Set-PAMRequestToApprove -Request $request -Approve
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo         : NotSpecified: (:) [Set-PAMRequestToApprove], EndpointNotFoundException
+ FullyQualifiedErrorId : GeneralServerError,Microsoft.IdentityManagement.RequestorPamCmdlets.Commands.SetPamRequestToApprove

Got a hint from PG and it seems that I used a short name instead of a FQDN while installing MIMService and MIM PAM client add-in and extension. Did a change mode install and cmdlet works fine now.


About Peter Stapf
Senior Consultant Infrastructure Services (Main focus: Identity Management) MVP Directory Services

4 Responses to Privileged Access Management: PAM roles with approvals (Part 1)

  1. Pingback: Privileged Access Management: PAM roles with time span and future requests (Part 2) | JustIDM

  2. Erich Karch says:

    Perfect! The exact information for which I was looking!

  3. George says:

    Creates automated customized desktop icon on the user desktop profile – customizable on user based category. how we will do this

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: