Azure PIM: Internal Server Error (500) using PIM Graph API

Azure Active Directory_COLOR

I have some implementation where I created a MIM PowerShell Connector for Azure PIM (Privileged Identity Management. This Connector imports on-Premises AD groups and transfers the members to Azure PIM role assignments.

A couple of days ago the scripts of that connector throw errors in my implementation as well as at a customer.

I tried to reach the following endpoints in Graph Explorer and even there I get an error:

Graph Explorer states the following error:

  "error": {
    "code": "UnknownError",
    "message": "{"message":"An error has occurred."}",
  "innerError": {
    "request-id": "16e184f8-86cb-4424-abff-4fd3ac4a010e",
    "date": "2018-11-12T12:40:15"

While PowerShell throws an Internal Server Error (500) Continue reading “Azure PIM: Internal Server Error (500) using PIM Graph API”


Ignite: Privileged Access Management for Office 365 general available


Another great announcement from Ignite,
Privileged Access Management in Office 365 is now Generally Available

How it works

Privileged access management in Office 365 goes beyond traditional access control capabilities by enabling access governance more granularity for specific tasks.

It’s based on the principle of Zero Standing Access, which means users who need privileged access, must request permissions for access, and once received it is just-in-time and just-enough access to perform the job at hand.

Therefore, Zero Standing Access, combined with access governance, can be an effective deterrent to misuse of privileged access by:

  • Requiring users to elevate permissions to execute tasks that may expose sensitive data.
  • Providing Just-Enough-Access (JEA) to specific tasks, coupled with Just-In-Time access so access is only allowed for a specific period of time.
  • Removing the dependency on having a set of privileged accounts with standing access.


Get Started Today!

Privileged access management in Office 365 is now generally available and rolling out to customers with Office 365 E5 and Advanced Compliance SKUs.

You can get started by reviewing the below resources:

Azure AD access reviews Microsoft Graph reference documentation available

The reference documentation for all access review options is available:

Microsoft Graph Azure AD Access Reviews reference documentation

It covers the API for all possible access reviews in Azure AD.

  • Application access
  • Group memberships
  • PIM AAD role assignments

Continue reading “Azure AD access reviews Microsoft Graph reference documentation available”

Create PAM (Privileged Access Management) Mobile Apps with PowerApps

Maybe you already read my last blog post about using PowerApps for Microsoft Identity Manager where you find a definitions file for the Lithnet RestAPI for MIM to create a custom API for PowerApps. If not, please do so for some basic information’s.

I also will present the MIM and PAM PowerApps solution with some detailed information on the next MIM Team User Group meeting on June 15.

This time I give to all of you the swagger JSON definition file for the Privileged Access Management (PAM) RestAPI around with a demo PowerApp.

The swagger JSON and YAML files contains all the API calls that PAM provides, so you can do the following:

  • Get a list of all PAM roles you are a candidate for
  • Get the PAM role request history
  • Request a PAM role and also Cancel your request before TTL exceeds
  • Get a list of all PAM role requests you should approve
  • Approve of Reject a PAM role request

Since PowerApps is still a preview feature you might have some issues like I have, but I was able to test all scenarios mentioned above.
Continue reading “Create PAM (Privileged Access Management) Mobile Apps with PowerApps”

Privileged Access Management: PAM roles with time span and future requests (Part 2)

Yesterday I wrote a blog post on how to setup PAM role with approvals in Privileged Access Management of Microsoft Identity Manager 2016.

Here is part 2 where I will be covering the following features:

  • PAM role with time span limits (e.g. 08:00 to 17:00)
  • PAM role with a specific request time (requests in future)

First make sure that the server running PAM components and the MIM service/portal have the correct time zone setting. You can check that in MIM portal under: Administration -> Portal Configuration -> Timezone


Currently the time restrictions are only working on time values not dates, so you cannot exclude weekend days for example. Only restrictions like 8:00 to 17:00 (or 8:00 am to 5:00 pm) are possible.

The supported way to set a time span rule on a PAM role is through PowerShell:

Import-Module MIMPAM
$pamrole = Get-PAMRole "SQLAdmins"
Set-PAMRole -Role $pamrole -AvailabilityWindowEnabled $true -AvailableFrom "08:00" -AvailableTo "17:00"

Continue reading “Privileged Access Management: PAM roles with time span and future requests (Part 2)”

Privileged Access Management: PAM roles with approvals (Part 1)

Well, here is some more information from playing with my Privileged Access Management (PAM) demo lab of MIM 2016

Looking a little bit under the surface you will see there are some more options you can set on PAM roles, like the following:

  • RAM roles with approvals
  • PAM roles with a valid time span (e.g. 8:00 to 17:00)
  • PAM roles with Azure MFA authentication
  • PAM roles requesting in the future (e.g. Role request for tomorrow)

This part is regarding PAM roles with approvals, there will be more posts regarding the other options in the near future.

Continue reading “Privileged Access Management: PAM roles with approvals (Part 1)”

Privileged Access Management: List all active pam requests

I’ve recently worked in my demo lab with Microsoft Identity Manager 2016 (MIM) feature called Privileged Access Management (PAM) to prepare for workshops and a first implementation at a customer.

One thing that came to my mind was, how I can enable PAM Admins to see a list of all currently active PAM requests on the system.

Option 1 is to use PowerShell from the MIMPAM Module to get an overview:

Get-PAMUser | Get-PAMRequest –Active

Quite simple, right?

But I want some graphical version and since the good “old” MIM portal is also present in that scenario I tried to figure out on how to search only “Active” roles/requests.

Continue reading “Privileged Access Management: List all active pam requests”