-
Notifications
You must be signed in to change notification settings - Fork 2
/
privileged_identity_management.json
114 lines (114 loc) · 5.95 KB
/
privileged_identity_management.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"publisher": "Azure Citadel",
"name": "Standard Managed Service with PIM",
"guid": "[guid(concat(variables('publisher'), variables('name')))]",
"roleDefinitionId": {
"Contributor": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"BackupContributor": "5e467623-bb1f-42f4-a55d-6e525e11384b",
"VirtualMachineContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"BillingReader": "fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64",
"Reader": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"ManagedServicesRegistrationAssignmentDeleteRole": "91c1777a-f3dc-4fae-b103-61d183457e46",
"SupportRequestContributor": "cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e"
},
"securityGroup": {
"consultants": {
"objectId": "30f86a83-b2a9-477a-90d6-23e51042839a",
"name": "Managed Service Consultants"
},
"management": {
"objectId": "9d2b2ec1-a465-431f-91d3-546f97b8fb26",
"name": "Managed Service Management"
}
},
"serviceprincipal": {
"billingReader": {
"objectId": "770040c1-ddc2-40bd-bfc9-af70f5cc9ab1",
"name": "Service principal - http://billingreader"
},
"terraform": {
"objectId": "e11d5c66-9c16-488a-afce-fd4da574296d",
"name": "Service principal - http://terraform"
}
}
},
"resources": [
{
"type": "Microsoft.ManagedServices/registrationDefinitions",
"apiVersion": "2022-01-01-preview",
"name": "[variables('guid')]",
"properties": {
"registrationDefinitionName": "[variables('name')]",
"description": "Virtual Machine protection and patching plus custom Azure billing service.",
"managedByTenantId": "3c584bbd-915f-4c70-9f2e-7217983f22f6",
"authorizations": [
{
"principalIdDisplayName": "[variables('securityGroup').management.name]",
"principalId": "[variables('securityGroup').management.objectId]",
"roleDefinitionId": "[variables('roleDefinitionId').ManagedServicesRegistrationAssignmentDeleteRole]"
},
{
"principalIdDisplayName": "[variables('securityGroup').consultants.name]",
"principalId": "[variables('securityGroup').consultants.objectId]",
"roleDefinitionId": "[variables('roleDefinitionId').Reader]"
},
{
"principalIdDisplayName": "[variables('securityGroup').consultants.name]",
"principalId": "[variables('securityGroup').consultants.objectId]",
"roleDefinitionId": "[variables('roleDefinitionId').SupportRequestContributor]"
},
{
"principalIdDisplayName": "[variables('serviceprincipal').billingReader.name]",
"principalId": "[variables('serviceprincipal').billingReader.objectId]",
"roleDefinitionId": "[variables('roleDefinitionId').BillingReader]"
},
{
"principalIdDisplayName": "[variables('serviceprincipal').terraform.name]",
"principalId": "[variables('serviceprincipal').terraform.objectId]",
"roleDefinitionId": "[variables('roleDefinitionId').Contributor]"
}
],
"eligibleAuthorizations": [
{
"justInTimeAccessPolicy": {
"multiFactorAuthProvider": "Azure",
"maximumActivationDuration": "PT4H",
"managedByTenantApprovers": []
},
"principalIdDisplayName": "[variables('securityGroup').consultants.name]",
"principalId": "[variables('securityGroup').consultants.objectId]",
"roleDefinitionId": "[variables('roleDefinitionId').BackupContributor]"
},
{
"justInTimeAccessPolicy": {
"multiFactorAuthProvider": "Azure",
"maximumActivationDuration": "PT4H",
"managedByTenantApprovers": []
},
"principalIdDisplayName": "[variables('securityGroup').consultants.name]",
"principalId": "[variables('securityGroup').consultants.objectId]",
"roleDefinitionId": "[variables('roleDefinitionId').VirtualMachineContributor]"
},
{
"justInTimeAccessPolicy": {
"multiFactorAuthProvider": "Azure",
"maximumActivationDuration": "PT8H",
"managedByTenantApprovers": [
{
"principalId": "[variables('securityGroup').management.objectId]",
"principalIdDisplayName": "[variables('securityGroup').management.name]"
}
]
},
"principalIdDisplayName": "[variables('securityGroup').consultants.name]",
"principalId": "[variables('securityGroup').consultants.objectId]",
"roleDefinitionId": "[variables('roleDefinitionId').Contributor]"
}
]
}
}
]
}