The azure-native:authorization:RoleManagementPolicy resource, part of the Pulumi Azure Native provider, defines governance rules for Azure role assignments: expiration limits, approval workflows, notification routing, and PIM enforcement. This guide focuses on two capabilities: eligibility expiration and notifications, and PIM-only mode with exclusions.
Role management policies apply to existing Azure scopes and reference user, group, or service principal IDs. The examples are intentionally small. Combine them with your own scope definitions and identity references.
Configure eligibility expiration and notifications
Organizations using Azure Privileged Identity Management often start by defining how long eligible role assignments last and who receives notifications when eligibility changes.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const roleManagementPolicy = new azure_native.authorization.RoleManagementPolicy("roleManagementPolicy", {
roleManagementPolicyName: "570c3619-7688-4b34-b290-2b8bb3ccab2a",
rules: [
{
id: "Expiration_Admin_Eligibility",
isExpirationRequired: false,
maximumDuration: "P180D",
ruleType: "RoleManagementPolicyExpirationRule",
target: {
caller: "Admin",
level: "Eligibility",
operations: ["All"],
},
},
{
id: "Notification_Admin_Admin_Eligibility",
isDefaultRecipientsEnabled: false,
notificationLevel: azure_native.authorization.NotificationLevel.Critical,
notificationRecipients: ["admin_admin_eligible@test.com"],
notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,
recipientType: azure_native.authorization.RecipientType.Admin,
ruleType: "RoleManagementPolicyNotificationRule",
target: {
caller: "Admin",
level: "Eligibility",
operations: ["All"],
},
},
],
scope: "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
import pulumi
import pulumi_azure_native as azure_native
role_management_policy = azure_native.authorization.RoleManagementPolicy("roleManagementPolicy",
role_management_policy_name="570c3619-7688-4b34-b290-2b8bb3ccab2a",
rules=[
{
"id": "Expiration_Admin_Eligibility",
"is_expiration_required": False,
"maximum_duration": "P180D",
"rule_type": "RoleManagementPolicyExpirationRule",
"target": {
"caller": "Admin",
"level": "Eligibility",
"operations": ["All"],
},
},
{
"id": "Notification_Admin_Admin_Eligibility",
"is_default_recipients_enabled": False,
"notification_level": azure_native.authorization.NotificationLevel.CRITICAL,
"notification_recipients": ["admin_admin_eligible@test.com"],
"notification_type": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,
"recipient_type": azure_native.authorization.RecipientType.ADMIN,
"rule_type": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "Admin",
"level": "Eligibility",
"operations": ["All"],
},
},
],
scope="providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
package main
import (
authorization "github.com/pulumi/pulumi-azure-native-sdk/authorization/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := authorization.NewRoleManagementPolicy(ctx, "roleManagementPolicy", &authorization.RoleManagementPolicyArgs{
RoleManagementPolicyName: pulumi.String("570c3619-7688-4b34-b290-2b8bb3ccab2a"),
Rules: pulumi.Array{
authorization.RoleManagementPolicyExpirationRule{
Id: "Expiration_Admin_Eligibility",
IsExpirationRequired: false,
MaximumDuration: "P180D",
RuleType: "RoleManagementPolicyExpirationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Admin_Admin_Eligibility",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"admin_admin_eligible@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeAdmin,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
},
Scope: pulumi.String("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var roleManagementPolicy = new AzureNative.Authorization.RoleManagementPolicy("roleManagementPolicy", new()
{
RoleManagementPolicyName = "570c3619-7688-4b34-b290-2b8bb3ccab2a",
Rules =
{
new AzureNative.Authorization.Inputs.RoleManagementPolicyExpirationRuleArgs
{
Id = "Expiration_Admin_Eligibility",
IsExpirationRequired = false,
MaximumDuration = "P180D",
RuleType = "RoleManagementPolicyExpirationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Admin_Admin_Eligibility",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"admin_admin_eligible@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Admin,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
},
Scope = "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.authorization.RoleManagementPolicy;
import com.pulumi.azurenative.authorization.RoleManagementPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var roleManagementPolicy = new RoleManagementPolicy("roleManagementPolicy", RoleManagementPolicyArgs.builder()
.roleManagementPolicyName("570c3619-7688-4b34-b290-2b8bb3ccab2a")
.rules(
RoleManagementPolicyExpirationRuleArgs.builder()
.id("Expiration_Admin_Eligibility")
.isExpirationRequired(false)
.maximumDuration("P180D")
.ruleType("RoleManagementPolicyExpirationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Admin_Admin_Eligibility")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("admin_admin_eligible@test.com")
.notificationType("Email")
.recipientType("Admin")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build())
.scope("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
.build());
}
}
resources:
roleManagementPolicy:
type: azure-native:authorization:RoleManagementPolicy
properties:
roleManagementPolicyName: 570c3619-7688-4b34-b290-2b8bb3ccab2a
rules:
- id: Expiration_Admin_Eligibility
isExpirationRequired: false
maximumDuration: P180D
ruleType: RoleManagementPolicyExpirationRule
target:
caller: Admin
level: Eligibility
operations:
- All
- id: Notification_Admin_Admin_Eligibility
isDefaultRecipientsEnabled: false
notificationLevel: Critical
notificationRecipients:
- admin_admin_eligible@test.com
notificationType: Email
recipientType: Admin
ruleType: RoleManagementPolicyNotificationRule
target:
caller: Admin
level: Eligibility
operations:
- All
scope: providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368
The rules array contains policy rules that govern role behavior. Each RoleManagementPolicyExpirationRule sets maximumDuration (ISO 8601 format like “P180D” for 180 days) and isExpirationRequired to control whether assignments must expire. The target property specifies which operations the rule applies to: caller identifies who performs the action (Admin, EndUser), level distinguishes between Eligibility (who can request a role) and Assignment (who actively holds a role), and operations lists which actions trigger the rule. RoleManagementPolicyNotificationRule routes emails to specific recipients based on recipientType (Admin, Requestor, Approver) and notificationLevel (Critical, All).
Enforce PIM-only mode with exclusions
Teams enforcing just-in-time access can require all role assignments to go through PIM, while excluding specific users, groups, or service principals.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const roleManagementPolicy = new azure_native.authorization.RoleManagementPolicy("roleManagementPolicy", {
roleManagementPolicyName: "570c3619-7688-4b34-b290-2b8bb3ccab2a",
rules: [{
id: "PIMOnlyMode_Admin_Assignment",
pimOnlyModeSettings: {
excludedAssignmentTypes: [azure_native.authorization.ExcludedPrincipalTypes.ServicePrincipalsAsTarget],
excludes: [
{
id: "ec42a424-a0c0-4418-8788-d19bdeb03704",
type: azure_native.authorization.UserType.User,
},
{
id: "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
type: azure_native.authorization.UserType.Group,
},
{
id: "0000103d-1fc2-4ac8-81de-71517765655c",
type: azure_native.authorization.UserType.ServicePrincipal,
},
],
mode: azure_native.authorization.PIMOnlyMode.Enabled,
},
ruleType: "RoleManagementPolicyPimOnlyModeRule",
target: {
caller: "Admin",
enforcedSettings: ["all"],
inheritableSettings: ["all"],
level: "Assignment",
operations: ["all"],
targetObjects: [],
},
}],
scope: "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
import pulumi
import pulumi_azure_native as azure_native
role_management_policy = azure_native.authorization.RoleManagementPolicy("roleManagementPolicy",
role_management_policy_name="570c3619-7688-4b34-b290-2b8bb3ccab2a",
rules=[{
"id": "PIMOnlyMode_Admin_Assignment",
"pim_only_mode_settings": {
"excluded_assignment_types": [azure_native.authorization.ExcludedPrincipalTypes.SERVICE_PRINCIPALS_AS_TARGET],
"excludes": [
{
"id": "ec42a424-a0c0-4418-8788-d19bdeb03704",
"type": azure_native.authorization.UserType.USER,
},
{
"id": "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
"type": azure_native.authorization.UserType.GROUP,
},
{
"id": "0000103d-1fc2-4ac8-81de-71517765655c",
"type": azure_native.authorization.UserType.SERVICE_PRINCIPAL,
},
],
"mode": azure_native.authorization.PIMOnlyMode.ENABLED,
},
"rule_type": "RoleManagementPolicyPimOnlyModeRule",
"target": {
"caller": "Admin",
"enforced_settings": ["all"],
"inheritable_settings": ["all"],
"level": "Assignment",
"operations": ["all"],
"target_objects": [],
},
}],
scope="providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
package main
import (
authorization "github.com/pulumi/pulumi-azure-native-sdk/authorization/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := authorization.NewRoleManagementPolicy(ctx, "roleManagementPolicy", &authorization.RoleManagementPolicyArgs{
RoleManagementPolicyName: pulumi.String("570c3619-7688-4b34-b290-2b8bb3ccab2a"),
Rules: pulumi.Array{
authorization.RoleManagementPolicyPimOnlyModeRule{
Id: "PIMOnlyMode_Admin_Assignment",
PimOnlyModeSettings: authorization.PIMOnlyModeSettings{
ExcludedAssignmentTypes: []authorization.ExcludedPrincipalTypes{
authorization.ExcludedPrincipalTypesServicePrincipalsAsTarget,
},
Excludes: []authorization.UsersOrServicePrincipalSet{
{
Id: "ec42a424-a0c0-4418-8788-d19bdeb03704",
Type: authorization.UserTypeUser,
},
{
Id: "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
Type: authorization.UserTypeGroup,
},
{
Id: "0000103d-1fc2-4ac8-81de-71517765655c",
Type: authorization.UserTypeServicePrincipal,
},
},
Mode: authorization.PIMOnlyModeEnabled,
},
RuleType: "RoleManagementPolicyPimOnlyModeRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
EnforcedSettings: []string{
"all",
},
InheritableSettings: []string{
"all",
},
Level: "Assignment",
Operations: []string{
"all",
},
TargetObjects: []interface{}{},
},
},
},
Scope: pulumi.String("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var roleManagementPolicy = new AzureNative.Authorization.RoleManagementPolicy("roleManagementPolicy", new()
{
RoleManagementPolicyName = "570c3619-7688-4b34-b290-2b8bb3ccab2a",
Rules = new[]
{
new AzureNative.Authorization.Inputs.RoleManagementPolicyPimOnlyModeRuleArgs
{
Id = "PIMOnlyMode_Admin_Assignment",
PimOnlyModeSettings = new AzureNative.Authorization.Inputs.PIMOnlyModeSettingsArgs
{
ExcludedAssignmentTypes = new[]
{
AzureNative.Authorization.ExcludedPrincipalTypes.ServicePrincipalsAsTarget,
},
Excludes = new[]
{
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "ec42a424-a0c0-4418-8788-d19bdeb03704",
Type = AzureNative.Authorization.UserType.User,
},
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
Type = AzureNative.Authorization.UserType.Group,
},
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "0000103d-1fc2-4ac8-81de-71517765655c",
Type = AzureNative.Authorization.UserType.ServicePrincipal,
},
},
Mode = AzureNative.Authorization.PIMOnlyMode.Enabled,
},
RuleType = "RoleManagementPolicyPimOnlyModeRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
EnforcedSettings = new[]
{
"all",
},
InheritableSettings = new[]
{
"all",
},
Level = "Assignment",
Operations = new[]
{
"all",
},
TargetObjects = new() { },
},
},
},
Scope = "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.authorization.RoleManagementPolicy;
import com.pulumi.azurenative.authorization.RoleManagementPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var roleManagementPolicy = new RoleManagementPolicy("roleManagementPolicy", RoleManagementPolicyArgs.builder()
.roleManagementPolicyName("570c3619-7688-4b34-b290-2b8bb3ccab2a")
.rules(RoleManagementPolicyPimOnlyModeRuleArgs.builder()
.id("PIMOnlyMode_Admin_Assignment")
.pimOnlyModeSettings(PIMOnlyModeSettingsArgs.builder()
.excludedAssignmentTypes("ServicePrincipalsAsTarget")
.excludes(
UsersOrServicePrincipalSetArgs.builder()
.id("ec42a424-a0c0-4418-8788-d19bdeb03704")
.type("User")
.build(),
UsersOrServicePrincipalSetArgs.builder()
.id("00029dfb-0218-4e7a-9a85-c15dc0c880bc")
.type("Group")
.build(),
UsersOrServicePrincipalSetArgs.builder()
.id("0000103d-1fc2-4ac8-81de-71517765655c")
.type("ServicePrincipal")
.build())
.mode("Enabled")
.build())
.ruleType("RoleManagementPolicyPimOnlyModeRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.enforcedSettings("all")
.inheritableSettings("all")
.level("Assignment")
.operations("all")
.targetObjects()
.build())
.build())
.scope("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
.build());
}
}
resources:
roleManagementPolicy:
type: azure-native:authorization:RoleManagementPolicy
properties:
roleManagementPolicyName: 570c3619-7688-4b34-b290-2b8bb3ccab2a
rules:
- id: PIMOnlyMode_Admin_Assignment
pimOnlyModeSettings:
excludedAssignmentTypes:
- ServicePrincipalsAsTarget
excludes:
- id: ec42a424-a0c0-4418-8788-d19bdeb03704
type: User
- id: 00029dfb-0218-4e7a-9a85-c15dc0c880bc
type: Group
- id: 0000103d-1fc2-4ac8-81de-71517765655c
type: ServicePrincipal
mode: Enabled
ruleType: RoleManagementPolicyPimOnlyModeRule
target:
caller: Admin
enforcedSettings:
- all
inheritableSettings:
- all
level: Assignment
operations:
- all
targetObjects: []
scope: providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368
The RoleManagementPolicyPimOnlyModeRule enforces that all role assignments must be requested through PIM rather than assigned directly. The pimOnlyModeSettings property controls this behavior: mode set to “Enabled” activates the requirement, excludes lists specific user, group, or service principal IDs that bypass the rule, and excludedAssignmentTypes can exempt entire categories like service principals. The target property’s enforcedSettings and inheritableSettings arrays determine whether child scopes inherit these restrictions.
Beyond these examples
These snippets focus on specific policy-level features: expiration rules and time limits, notification routing by recipient type, and PIM-only mode enforcement. They’re intentionally minimal rather than complete governance frameworks.
The examples reference pre-existing infrastructure such as Azure subscription or management group scopes, existing role management policies identified by GUID, and user, group, and service principal IDs for exclusions. They focus on configuring the policy rather than provisioning the surrounding identity infrastructure.
To keep things focused, common policy patterns are omitted, including:
- Approval workflows and multi-stage approvals
- Enablement rules (MFA, justification, ticketing)
- Authentication context requirements
- Assignment-level expiration and enablement
These omissions are intentional: the goal is to illustrate how each policy rule is wired, not provide drop-in governance modules. See the RoleManagementPolicy resource reference for all available configuration options.
Let's configure Azure Role Management Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Policy Structure & Configuration
What's the difference between Eligibility and Assignment levels in role management policies?
Rules target either
Eligibility level (who can request a role) or Assignment level (active role assignments). Examples show separate expiration and notification rules for each level, with Eligibility typically having longer durations (180 days) than Assignment (90 days or 7 hours for end users).What's the difference between Admin and EndUser callers?
The
caller field in rule targets distinguishes between Admin (administrators managing roles) and EndUser (users requesting role activation). Examples show EndUser assignments requiring approval and having shorter durations (7 hours), while Admin assignments have longer durations (90 days) and different enablement requirements.What rule types can I configure in a role management policy?
You can configure six rule types:
- RoleManagementPolicyExpirationRule - Duration limits for eligibility and assignments
- RoleManagementPolicyNotificationRule - Email notifications to admins, requestors, or approvers
- RoleManagementPolicyEnablementRule - Requirements like MFA, justification, or ticketing
- RoleManagementPolicyApprovalRule - Approval workflows with stages and approvers
- RoleManagementPolicyAuthenticationContextRule - Authentication context claims
- RoleManagementPolicyPimOnlyModeRule - PIM-only mode enforcement with exclusions
Why is the policy name a GUID?
The
roleManagementPolicyName is an immutable GUID-based identifier. Examples use GUIDs like “570c3619-7688-4b34-b290-2b8bb3ccab2a” for policy identification.Duration & Expiration
What format should I use for duration values?
Use ISO 8601 duration format:
P180D for 180 days, P90D for 90 days, PT7H for 7 hours. The format is P for period, followed by days (D) or T for time with hours (H).Notifications & Approvals
How do I configure email notifications for role assignments?
Use
RoleManagementPolicyNotificationRule with notificationType set to Email. Specify recipientType as Admin, Requestor, or Approver, and provide email addresses in notificationRecipients. Set isDefaultRecipientsEnabled to false to use custom recipients instead of defaults.How do I require approval for role activations?
Configure
RoleManagementPolicyApprovalRule with setting.isApprovalRequired set to true. Define approvalStages with primaryApprovers (users or groups by ID), set approvalStageTimeOutInDays, and configure escalation settings with isEscalationEnabled and escalationTimeInMinutes.Security & Access Controls
What enablement rules can I require for role assignments?
You can require three types of enablement in RoleManagementPolicyEnablementRule:
Justification- Require users to provide a reasonMultiFactorAuthentication- Require MFA verificationTicketing- Require a ticket number
Configure these in the enabledRules array. Examples show Admin assignments requiring Justification and MFA, while EndUser assignments require all three.
What's PIM-only mode and how do I configure it?
PIM-only mode enforces that all role assignments go through Privileged Identity Management. Configure
RoleManagementPolicyPimOnlyModeRule with pimOnlyModeSettings.mode set to Enabled. You can exclude specific users, groups, or service principals using the excludes array (with ID and type), and exclude assignment types with excludedAssignmentTypes (e.g., ServicePrincipalsAsTarget).What scope format should I use for the policy?
Use a resource path format. Examples show subscription scope as
providers/Microsoft.Subscription/subscriptions/{subscription-id}.