I’m trying to use Terraform to assign an assignable role in Azure to a group, but with approval required before the role is granted.
I’m currently using Terraform to manage Azure role assignments.
I already know how to assign an eligible PIM role using the azurerm_pim_eligible_role_assignment resource. That part is working fine.
Here’s what I’m aiming for:
- Users request access to the role via PIM (Privileged Identity Management), and an approval is required before the role is activated.
Any guidance or examples would be appreciated!
Thanks in advance.
I’m trying to use Terraform to assign an assignable role in Azure to a group, but with approval required before the role is granted.
I’m currently using Terraform to manage Azure role assignments.
I already know how to assign an eligible PIM role using the azurerm_pim_eligible_role_assignment resource. That part is working fine.
Here’s what I’m aiming for:
- Users request access to the role via PIM (Privileged Identity Management), and an approval is required before the role is activated.
Any guidance or examples would be appreciated!
Thanks in advance.
Share Improve this question asked Mar 23 at 16:08 Sayrell 0Sayrell 0 434 bronze badges 1- As far as I know, there is no module to enable that option, so you need to enable it before creating an eligible role assignment from portal: i.imgur/85RQpbp.png – Venkat V Commented Mar 24 at 13:18
1 Answer
Reset to default 1Users request access to the role via PIM (Privileged Identity Management), and an approval is required before the role is activated.
As far as I know, there is no Terraform module to edit the role for the Require Approval option; it must be configured before creating the Eligible Role Assignment.
Please update this option before creating the role by navigating to Azure Entra ID > Roles and administrators > Select the Role > Role settings > Edit
Then, select the approver to approve the request.
Once you change the settings, the same user will receive the approval request.
Reference: MS Graph api - Azure PIM Group approvals and notification settings - Stack Overflow