The azure-native:authorization:RoleManagementPolicy resource, part of the Pulumi Azure Native provider, defines governance rules for Azure role assignments: expiration limits, approval workflows, notification routing, and PIM enforcement. This guide focuses on two capabilities: eligibility expiration and notifications, and PIM-only mode with exclusions.
Role management policies apply to existing Azure scopes and reference user, group, or service principal IDs. The examples are intentionally small. Combine them with your own scope definitions and identity references.
Configure eligibility expiration and notifications
Organizations using Azure Privileged Identity Management often start by defining how long eligible role assignments last and who receives notifications when eligibility changes.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const roleManagementPolicy = new azure_native.authorization.RoleManagementPolicy("roleManagementPolicy", {
roleManagementPolicyName: "570c3619-7688-4b34-b290-2b8bb3ccab2a",
rules: [
{
id: "Expiration_Admin_Eligibility",
isExpirationRequired: false,
maximumDuration: "P180D",
ruleType: "RoleManagementPolicyExpirationRule",
target: {
caller: "Admin",
level: "Eligibility",
operations: ["All"],
},
},
{
id: "Notification_Admin_Admin_Eligibility",
isDefaultRecipientsEnabled: false,
notificationLevel: azure_native.authorization.NotificationLevel.Critical,
notificationRecipients: ["admin_admin_eligible@test.com"],
notificationType: azure_native.authorization.NotificationDeliveryMechanism.Email,
recipientType: azure_native.authorization.RecipientType.Admin,
ruleType: "RoleManagementPolicyNotificationRule",
target: {
caller: "Admin",
level: "Eligibility",
operations: ["All"],
},
},
],
scope: "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
import pulumi
import pulumi_azure_native as azure_native
role_management_policy = azure_native.authorization.RoleManagementPolicy("roleManagementPolicy",
role_management_policy_name="570c3619-7688-4b34-b290-2b8bb3ccab2a",
rules=[
{
"id": "Expiration_Admin_Eligibility",
"is_expiration_required": False,
"maximum_duration": "P180D",
"rule_type": "RoleManagementPolicyExpirationRule",
"target": {
"caller": "Admin",
"level": "Eligibility",
"operations": ["All"],
},
},
{
"id": "Notification_Admin_Admin_Eligibility",
"is_default_recipients_enabled": False,
"notification_level": azure_native.authorization.NotificationLevel.CRITICAL,
"notification_recipients": ["admin_admin_eligible@test.com"],
"notification_type": azure_native.authorization.NotificationDeliveryMechanism.EMAIL,
"recipient_type": azure_native.authorization.RecipientType.ADMIN,
"rule_type": "RoleManagementPolicyNotificationRule",
"target": {
"caller": "Admin",
"level": "Eligibility",
"operations": ["All"],
},
},
],
scope="providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
package main
import (
authorization "github.com/pulumi/pulumi-azure-native-sdk/authorization/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := authorization.NewRoleManagementPolicy(ctx, "roleManagementPolicy", &authorization.RoleManagementPolicyArgs{
RoleManagementPolicyName: pulumi.String("570c3619-7688-4b34-b290-2b8bb3ccab2a"),
Rules: pulumi.Array{
authorization.RoleManagementPolicyExpirationRule{
Id: "Expiration_Admin_Eligibility",
IsExpirationRequired: false,
MaximumDuration: "P180D",
RuleType: "RoleManagementPolicyExpirationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
authorization.RoleManagementPolicyNotificationRule{
Id: "Notification_Admin_Admin_Eligibility",
IsDefaultRecipientsEnabled: false,
NotificationLevel: authorization.NotificationLevelCritical,
NotificationRecipients: []string{
"admin_admin_eligible@test.com",
},
NotificationType: authorization.NotificationDeliveryMechanismEmail,
RecipientType: authorization.RecipientTypeAdmin,
RuleType: "RoleManagementPolicyNotificationRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
Level: "Eligibility",
Operations: []string{
"All",
},
},
},
},
Scope: pulumi.String("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var roleManagementPolicy = new AzureNative.Authorization.RoleManagementPolicy("roleManagementPolicy", new()
{
RoleManagementPolicyName = "570c3619-7688-4b34-b290-2b8bb3ccab2a",
Rules =
{
new AzureNative.Authorization.Inputs.RoleManagementPolicyExpirationRuleArgs
{
Id = "Expiration_Admin_Eligibility",
IsExpirationRequired = false,
MaximumDuration = "P180D",
RuleType = "RoleManagementPolicyExpirationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
new AzureNative.Authorization.Inputs.RoleManagementPolicyNotificationRuleArgs
{
Id = "Notification_Admin_Admin_Eligibility",
IsDefaultRecipientsEnabled = false,
NotificationLevel = AzureNative.Authorization.NotificationLevel.Critical,
NotificationRecipients = new[]
{
"admin_admin_eligible@test.com",
},
NotificationType = AzureNative.Authorization.NotificationDeliveryMechanism.Email,
RecipientType = AzureNative.Authorization.RecipientType.Admin,
RuleType = "RoleManagementPolicyNotificationRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
Level = "Eligibility",
Operations = new[]
{
"All",
},
},
},
},
Scope = "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.authorization.RoleManagementPolicy;
import com.pulumi.azurenative.authorization.RoleManagementPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var roleManagementPolicy = new RoleManagementPolicy("roleManagementPolicy", RoleManagementPolicyArgs.builder()
.roleManagementPolicyName("570c3619-7688-4b34-b290-2b8bb3ccab2a")
.rules(
RoleManagementPolicyExpirationRuleArgs.builder()
.id("Expiration_Admin_Eligibility")
.isExpirationRequired(false)
.maximumDuration("P180D")
.ruleType("RoleManagementPolicyExpirationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build(),
RoleManagementPolicyNotificationRuleArgs.builder()
.id("Notification_Admin_Admin_Eligibility")
.isDefaultRecipientsEnabled(false)
.notificationLevel("Critical")
.notificationRecipients("admin_admin_eligible@test.com")
.notificationType("Email")
.recipientType("Admin")
.ruleType("RoleManagementPolicyNotificationRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.level("Eligibility")
.operations("All")
.build())
.build())
.scope("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
.build());
}
}
resources:
roleManagementPolicy:
type: azure-native:authorization:RoleManagementPolicy
properties:
roleManagementPolicyName: 570c3619-7688-4b34-b290-2b8bb3ccab2a
rules:
- id: Expiration_Admin_Eligibility
isExpirationRequired: false
maximumDuration: P180D
ruleType: RoleManagementPolicyExpirationRule
target:
caller: Admin
level: Eligibility
operations:
- All
- id: Notification_Admin_Admin_Eligibility
isDefaultRecipientsEnabled: false
notificationLevel: Critical
notificationRecipients:
- admin_admin_eligible@test.com
notificationType: Email
recipientType: Admin
ruleType: RoleManagementPolicyNotificationRule
target:
caller: Admin
level: Eligibility
operations:
- All
scope: providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368
The rules array contains policy rules that govern role behavior. Each RoleManagementPolicyExpirationRule sets maximumDuration (ISO 8601 format like “P180D” for 180 days) and isExpirationRequired to control whether assignments must expire. The target property specifies which operations the rule applies to: caller identifies who performs the action (Admin, EndUser), level distinguishes between Eligibility (who can request a role) and Assignment (who actively holds a role), and operations lists which actions trigger the rule. RoleManagementPolicyNotificationRule routes emails to specific recipients based on recipientType (Admin, Requestor, Approver) and notificationLevel (Critical, All).
Enforce PIM-only mode with exclusions
Teams enforcing just-in-time access can require all role assignments to go through PIM, while excluding specific users, groups, or service principals.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const roleManagementPolicy = new azure_native.authorization.RoleManagementPolicy("roleManagementPolicy", {
roleManagementPolicyName: "570c3619-7688-4b34-b290-2b8bb3ccab2a",
rules: [{
id: "PIMOnlyMode_Admin_Assignment",
pimOnlyModeSettings: {
excludedAssignmentTypes: [azure_native.authorization.ExcludedPrincipalTypes.ServicePrincipalsAsTarget],
excludes: [
{
id: "ec42a424-a0c0-4418-8788-d19bdeb03704",
type: azure_native.authorization.UserType.User,
},
{
id: "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
type: azure_native.authorization.UserType.Group,
},
{
id: "0000103d-1fc2-4ac8-81de-71517765655c",
type: azure_native.authorization.UserType.ServicePrincipal,
},
],
mode: azure_native.authorization.PIMOnlyMode.Enabled,
},
ruleType: "RoleManagementPolicyPimOnlyModeRule",
target: {
caller: "Admin",
enforcedSettings: ["all"],
inheritableSettings: ["all"],
level: "Assignment",
operations: ["all"],
targetObjects: [],
},
}],
scope: "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
import pulumi
import pulumi_azure_native as azure_native
role_management_policy = azure_native.authorization.RoleManagementPolicy("roleManagementPolicy",
role_management_policy_name="570c3619-7688-4b34-b290-2b8bb3ccab2a",
rules=[{
"id": "PIMOnlyMode_Admin_Assignment",
"pim_only_mode_settings": {
"excluded_assignment_types": [azure_native.authorization.ExcludedPrincipalTypes.SERVICE_PRINCIPALS_AS_TARGET],
"excludes": [
{
"id": "ec42a424-a0c0-4418-8788-d19bdeb03704",
"type": azure_native.authorization.UserType.USER,
},
{
"id": "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
"type": azure_native.authorization.UserType.GROUP,
},
{
"id": "0000103d-1fc2-4ac8-81de-71517765655c",
"type": azure_native.authorization.UserType.SERVICE_PRINCIPAL,
},
],
"mode": azure_native.authorization.PIMOnlyMode.ENABLED,
},
"rule_type": "RoleManagementPolicyPimOnlyModeRule",
"target": {
"caller": "Admin",
"enforced_settings": ["all"],
"inheritable_settings": ["all"],
"level": "Assignment",
"operations": ["all"],
"target_objects": [],
},
}],
scope="providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
package main
import (
authorization "github.com/pulumi/pulumi-azure-native-sdk/authorization/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := authorization.NewRoleManagementPolicy(ctx, "roleManagementPolicy", &authorization.RoleManagementPolicyArgs{
RoleManagementPolicyName: pulumi.String("570c3619-7688-4b34-b290-2b8bb3ccab2a"),
Rules: pulumi.Array{
authorization.RoleManagementPolicyPimOnlyModeRule{
Id: "PIMOnlyMode_Admin_Assignment",
PimOnlyModeSettings: authorization.PIMOnlyModeSettings{
ExcludedAssignmentTypes: []authorization.ExcludedPrincipalTypes{
authorization.ExcludedPrincipalTypesServicePrincipalsAsTarget,
},
Excludes: []authorization.UsersOrServicePrincipalSet{
{
Id: "ec42a424-a0c0-4418-8788-d19bdeb03704",
Type: authorization.UserTypeUser,
},
{
Id: "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
Type: authorization.UserTypeGroup,
},
{
Id: "0000103d-1fc2-4ac8-81de-71517765655c",
Type: authorization.UserTypeServicePrincipal,
},
},
Mode: authorization.PIMOnlyModeEnabled,
},
RuleType: "RoleManagementPolicyPimOnlyModeRule",
Target: authorization.RoleManagementPolicyRuleTarget{
Caller: "Admin",
EnforcedSettings: []string{
"all",
},
InheritableSettings: []string{
"all",
},
Level: "Assignment",
Operations: []string{
"all",
},
TargetObjects: []interface{}{},
},
},
},
Scope: pulumi.String("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var roleManagementPolicy = new AzureNative.Authorization.RoleManagementPolicy("roleManagementPolicy", new()
{
RoleManagementPolicyName = "570c3619-7688-4b34-b290-2b8bb3ccab2a",
Rules = new[]
{
new AzureNative.Authorization.Inputs.RoleManagementPolicyPimOnlyModeRuleArgs
{
Id = "PIMOnlyMode_Admin_Assignment",
PimOnlyModeSettings = new AzureNative.Authorization.Inputs.PIMOnlyModeSettingsArgs
{
ExcludedAssignmentTypes = new[]
{
AzureNative.Authorization.ExcludedPrincipalTypes.ServicePrincipalsAsTarget,
},
Excludes = new[]
{
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "ec42a424-a0c0-4418-8788-d19bdeb03704",
Type = AzureNative.Authorization.UserType.User,
},
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "00029dfb-0218-4e7a-9a85-c15dc0c880bc",
Type = AzureNative.Authorization.UserType.Group,
},
new AzureNative.Authorization.Inputs.UsersOrServicePrincipalSetArgs
{
Id = "0000103d-1fc2-4ac8-81de-71517765655c",
Type = AzureNative.Authorization.UserType.ServicePrincipal,
},
},
Mode = AzureNative.Authorization.PIMOnlyMode.Enabled,
},
RuleType = "RoleManagementPolicyPimOnlyModeRule",
Target = new AzureNative.Authorization.Inputs.RoleManagementPolicyRuleTargetArgs
{
Caller = "Admin",
EnforcedSettings = new[]
{
"all",
},
InheritableSettings = new[]
{
"all",
},
Level = "Assignment",
Operations = new[]
{
"all",
},
TargetObjects = new() { },
},
},
},
Scope = "providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.authorization.RoleManagementPolicy;
import com.pulumi.azurenative.authorization.RoleManagementPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var roleManagementPolicy = new RoleManagementPolicy("roleManagementPolicy", RoleManagementPolicyArgs.builder()
.roleManagementPolicyName("570c3619-7688-4b34-b290-2b8bb3ccab2a")
.rules(RoleManagementPolicyPimOnlyModeRuleArgs.builder()
.id("PIMOnlyMode_Admin_Assignment")
.pimOnlyModeSettings(PIMOnlyModeSettingsArgs.builder()
.excludedAssignmentTypes("ServicePrincipalsAsTarget")
.excludes(
UsersOrServicePrincipalSetArgs.builder()
.id("ec42a424-a0c0-4418-8788-d19bdeb03704")
.type("User")
.build(),
UsersOrServicePrincipalSetArgs.builder()
.id("00029dfb-0218-4e7a-9a85-c15dc0c880bc")
.type("Group")
.build(),
UsersOrServicePrincipalSetArgs.builder()
.id("0000103d-1fc2-4ac8-81de-71517765655c")
.type("ServicePrincipal")
.build())
.mode("Enabled")
.build())
.ruleType("RoleManagementPolicyPimOnlyModeRule")
.target(RoleManagementPolicyRuleTargetArgs.builder()
.caller("Admin")
.enforcedSettings("all")
.inheritableSettings("all")
.level("Assignment")
.operations("all")
.targetObjects()
.build())
.build())
.scope("providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368")
.build());
}
}
resources:
roleManagementPolicy:
type: azure-native:authorization:RoleManagementPolicy
properties:
roleManagementPolicyName: 570c3619-7688-4b34-b290-2b8bb3ccab2a
rules:
- id: PIMOnlyMode_Admin_Assignment
pimOnlyModeSettings:
excludedAssignmentTypes:
- ServicePrincipalsAsTarget
excludes:
- id: ec42a424-a0c0-4418-8788-d19bdeb03704
type: User
- id: 00029dfb-0218-4e7a-9a85-c15dc0c880bc
type: Group
- id: 0000103d-1fc2-4ac8-81de-71517765655c
type: ServicePrincipal
mode: Enabled
ruleType: RoleManagementPolicyPimOnlyModeRule
target:
caller: Admin
enforcedSettings:
- all
inheritableSettings:
- all
level: Assignment
operations:
- all
targetObjects: []
scope: providers/Microsoft.Subscription/subscriptions/129ff972-28f8-46b8-a726-e497be039368
The RoleManagementPolicyPimOnlyModeRule enforces that all role assignments must be requested through PIM rather than assigned directly. The pimOnlyModeSettings property controls this behavior: mode set to “Enabled” activates the requirement, excludes lists specific user, group, or service principal IDs that bypass the rule, and excludedAssignmentTypes can exempt entire categories like service principals. The target property’s enforcedSettings and inheritableSettings arrays determine whether child scopes inherit these restrictions.
Beyond these examples
These snippets focus on specific policy-level features: expiration rules and time limits, notification routing by recipient type, and PIM-only mode enforcement. They’re intentionally minimal rather than complete governance frameworks.
The examples reference pre-existing infrastructure such as Azure subscription or management group scopes, existing role management policies identified by GUID, and user, group, and service principal IDs for exclusions. They focus on configuring the policy rather than provisioning the surrounding identity infrastructure.
To keep things focused, common policy patterns are omitted, including:
- Approval workflows and multi-stage approvals
- Enablement rules (MFA, justification, ticketing)
- Authentication context requirements
- Assignment-level expiration and enablement
These omissions are intentional: the goal is to illustrate how each policy rule is wired, not provide drop-in governance modules. See the RoleManagementPolicy resource reference for all available configuration options.
Let's configure Azure Role Management Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Policy Structure & Basics
Can I change the policy name after creation?
No, the
roleManagementPolicyName is immutable. Plan your policy name (GUID) carefully before creation, as changing it requires recreating the resource.What rule types are available for role management policies?
Six rule types are available:
- RoleManagementPolicyExpirationRule - Controls duration limits for assignments/eligibility
- RoleManagementPolicyNotificationRule - Configures email notifications
- RoleManagementPolicyEnablementRule - Requires MFA, justification, or ticketing
- RoleManagementPolicyApprovalRule - Sets up approval workflows
- RoleManagementPolicyAuthenticationContextRule - Enforces authentication context
- RoleManagementPolicyPimOnlyModeRule - Enforces PIM-only mode
How do I specify where a role management policy applies?
Use the
scope property with a resource path like providers/Microsoft.Subscription/subscriptions/{subscriptionId} for subscription-level policies.Rule Configuration & Targeting
What's the difference between Eligibility and Assignment levels?
Eligibility means users are eligible to activate the role (requires activation), while Assignment means the role is actively assigned without requiring activation. Configure this using the
target.level property.How do I target rules to different user types?
Use the
target.caller property: set to Admin for administrators managing assignments, or EndUser for end users requesting role activation.How do I format duration values for expiration rules?
Use ISO 8601 duration format in the
maximumDuration property: P180D for 180 days, P90D for 90 days, PT7H for 7 hours.What enablement rules can I require for role activation?
Configure the
enabledRules property with Justification (require reason), MultiFactorAuthentication (require MFA), or Ticketing (require ticket number).Notifications & Approvals
How do I configure notifications for role assignments?
Use
RoleManagementPolicyNotificationRule with recipientType (Admin, Requestor, or Approver), notificationLevel (Critical), and either isDefaultRecipientsEnabled: true or custom notificationRecipients email addresses.How do I set up approval workflows for role requests?
Configure
RoleManagementPolicyApprovalRule with approvalMode: SingleStage, define approvalStages with primaryApprovers (users or groups by ID), and set approvalStageTimeOutInDays for timeout limits.PIM-Only Mode
What is PIM-only mode and how do I enable it?
PIM-only mode enforces that all role assignments go through Privileged Identity Management. Enable it using
RoleManagementPolicyPimOnlyModeRule with pimOnlyModeSettings.mode: Enabled. You can exclude specific users, groups, or service principals using the excludes array, or exclude assignment types like ServicePrincipalsAsTarget.