https://trustanchor.pro/tags/azure-rbac/Recent content in Azure-Rbac on Trust AnchorHugo -- gohugo.ioen© 2026 George VaculikSat, 06 Jun 2026 10:00:00 +0200https://trustanchor.pro/posts/pim-at-scale-three-domains/Sat, 06 Jun 2026 10:00:00 +0200https://trustanchor.pro/posts/pim-at-scale-three-domains/PIM is one service in Microsoft Entra admin center, with three management areas — Entra roles, Azure resources, Groups — and no default-policy mechanism in any of them. The integrated view, with consistent tiered policies bound by authentication context, has to be reconstructed in code. This post walks the design and the API patterns that make it work, including the non-inheritance gotcha, the role-assignable-group Member-vs-Owner setup clash, and the service-principal exemption that has to be governed instead of forgotten. The MSSP section at the end shows how the whole pattern lands in a pipeline with drift detection.