or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

access-reviews.mdalerts.mdauth-config.mdcore-rbac.mdindex.mdlegacy-admin.mdmetrics.mdpim.md
tile.json

tessl/pypi-azure-mgmt-authorization

Microsoft Azure Authorization Management Client Library for Python providing RBAC, PIM, and access control capabilities

Workspace
tessl
Visibility
Public
Created
Last updated
Describes
pypipkg:pypi/azure-mgmt-authorization@4.0.x

To install, run

npx @tessl/cli install tessl/pypi-azure-mgmt-authorization@4.0.0

index.mddocs/

Azure Authorization Management

A comprehensive Python SDK for Azure Role-Based Access Control (RBAC) and authorization management. This library enables developers to manage role assignments, role definitions, deny assignments, Privileged Identity Management (PIM), access reviews, and security alerts across Azure resources. It supports multiple API versions and provides both synchronous and asynchronous operations.

Package Information

  • Package Name: azure-mgmt-authorization
  • Package Type: pip
  • Language: Python
  • Installation: pip install azure-mgmt-authorization

Core Imports

from azure.mgmt.authorization import AuthorizationManagementClient

For specific API versions:

from azure.mgmt.authorization.v2022_04_01 import AuthorizationManagementClient

Basic Usage

from azure.mgmt.authorization import AuthorizationManagementClient
from azure.identity import DefaultAzureCredential

# Initialize client with default credentials
credential = DefaultAzureCredential()
client = AuthorizationManagementClient(
    credential=credential,
    subscription_id="your-subscription-id"
)

# List role assignments for subscription
role_assignments = client.role_assignments.list_for_subscription()
for assignment in role_assignments:
    print(f"Principal: {assignment.principal_id}")
    print(f"Role: {assignment.role_definition_id}")
    print(f"Scope: {assignment.scope}")

# Get a specific role definition
role_def = client.role_definitions.get(
    scope="/subscriptions/your-subscription-id",
    role_definition_id="role-definition-id"
)
print(f"Role Name: {role_def.role_name}")
print(f"Description: {role_def.description}")

Architecture

The Azure Authorization Management SDK follows Azure's ARM (Azure Resource Manager) design patterns:

  • Multi-API Client: Supports 17 API versions with intelligent version selection
  • Operation Groups: Functionality organized into 40+ operation groups for different authorization areas
  • ARM Pipeline: Built on Azure's ARM pipeline for consistent authentication, retry policies, and error handling
  • Model Hierarchy: Comprehensive data models with full type definitions and serialization support
  • Async Support: Complete async/await support via aio submodules

The SDK provides three main authorization management areas:

  • Core RBAC: Role assignments, definitions, permissions, and deny assignments
  • Privileged Identity Management (PIM): Time-bound access, approval workflows, and eligibility management
  • Compliance & Reviews: Access reviews, alerts, and audit capabilities

Capabilities

Core RBAC Operations

Essential role-based access control functionality including role assignments, role definitions, permissions management, and deny assignments. These operations form the foundation of Azure authorization management.

# Role Assignments
client.role_assignments.create(scope, role_assignment_name, parameters)
client.role_assignments.delete(scope, role_assignment_name)
client.role_assignments.get(scope, role_assignment_name)
client.role_assignments.list_for_scope(scope)

# Role Definitions  
client.role_definitions.create_or_update(scope, role_definition_id, parameters)
client.role_definitions.delete(scope, role_definition_id)
client.role_definitions.get(scope, role_definition_id)
client.role_definitions.list(scope)

Core RBAC Operations

Privileged Identity Management

Advanced access control with time-bound assignments, approval workflows, eligibility management, and policy enforcement. PIM enables just-in-time access and comprehensive access governance with scope-specific approval operations.

# Role Assignment Scheduling
client.role_assignment_schedule_requests.create(scope, role_assignment_schedule_request_name, parameters)
client.role_assignment_schedules.list_for_scope(scope)

# Role Eligibility Management
client.role_eligibility_schedule_requests.create(scope, role_eligibility_schedule_request_name, parameters)
client.role_eligibility_schedules.list_for_scope(scope)

# Policy Management
client.role_management_policies.update(scope, role_management_policy_name, parameters)
client.role_management_policy_assignments.create(scope, role_management_policy_assignment_name, parameters)

# Scope-specific Approval Operations
client.scope_role_assignment_approval.get_scope_approval(scope, role_assignment_schedule_request_name)
client.scope_role_assignment_approval_step.patch_scope_approval_step(scope, role_assignment_schedule_request_name, step_id, properties)
client.scope_role_assignment_approval_steps.list_scope_approval_steps(scope, role_assignment_schedule_request_name, filter)

Privileged Identity Management

Access Reviews

Systematic access certification and compliance management with configurable review cycles, approval workflows, and automated remediation. Supports both scheduled and on-demand access reviews with comprehensive scope-specific and tenant-level operations.

# Review Definitions
client.access_review_schedule_definitions.create_or_update_by_id(schedule_definition_id, properties)
client.access_review_schedule_definitions.list()

# Review Instances
client.access_review_instances.create(schedule_definition_id, id, properties)
client.access_review_instances.list(schedule_definition_id)

# Review Decisions
client.access_review_instance_decisions.list(schedule_definition_id, id)
client.access_review_instance_decisions.patch(schedule_definition_id, id, decision_id, properties)

# Scope-specific Operations
client.scope_access_review_schedule_definitions.create_scope_schedule_definition(scope, schedule_definition_id, properties)
client.scope_access_review_instances.list_scope_instances(scope, filter)
client.scope_access_review_instance_decisions.list_scope_instance_decisions(scope, schedule_definition_id, id, filter)

# History Export and Compliance
client.access_review_history_definitions.create(history_definition_id, properties)
client.access_review_history_definition_instances.list(definition_id)
client.scope_access_review_history_definitions.create_scope_history_definition(scope, history_definition_id, properties)

Access Reviews

Security Alerts

Real-time security monitoring and alerting for privileged access with configurable alert definitions, incident management, and automated remediation capabilities.

# Alert Management
client.alerts.list_for_scope(scope)
client.alerts.get(scope, alert_id)
client.alerts.update(scope, alert_id, parameters)

# Alert Configuration
client.alert_configurations.list_for_scope(scope)
client.alert_configurations.update(scope, alert_id, parameters)

# Incident Management
client.alert_incidents.list_for_scope(scope)
client.alert_incidents.remediate(scope, alert_id, alert_incident_id)

Security Alerts

Authentication and Client Configuration

Azure authentication patterns, client initialization options, and configuration management for optimal SDK usage across different Azure environments.

class AuthorizationManagementClient:
    def __init__(
        credential: TokenCredential,
        subscription_id: str,
        api_version: Optional[str] = None,
        base_url: str = "https://management.azure.com",
        profile: KnownProfiles = KnownProfiles.default,
        **kwargs
    )

Authentication and Configuration

Legacy Administration

Classic subscription administrators and global administrator operations for managing legacy Azure administration scenarios and elevated access.

# Classic Administrators
client.classic_administrators.list()

# Global Administrator Access
client.global_administrator.elevate_access()

Legacy Administration

Metrics and Monitoring

Role assignment metrics and operational monitoring capabilities for analyzing authorization usage patterns and performance.

# Role Assignment Metrics
client.role_assignment_metrics.get_metrics_for_subscription()

# Operation Monitoring
client.operations.list()

Metrics and Monitoring

Types

Core RBAC Types

class RoleAssignment:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    scope: Optional[str]
    role_definition_id: Optional[str]
    principal_id: Optional[str]
    principal_type: Optional[str]
    description: Optional[str]

class RoleDefinition:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    role_name: Optional[str]
    description: Optional[str]
    role_type: Optional[str]
    permissions: Optional[List[Permission]]
    assignable_scopes: Optional[List[str]]

class Permission:
    actions: Optional[List[str]]
    not_actions: Optional[List[str]]
    data_actions: Optional[List[str]]
    not_data_actions: Optional[List[str]]

class DenyAssignment:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    deny_assignment_name: Optional[str]
    description: Optional[str]
    permissions: Optional[List[DenyAssignmentPermission]]
    scope: Optional[str]
    principals: Optional[List[Principal]]
    exclude_principals: Optional[List[Principal]]

PIM Types

class RoleAssignmentScheduleRequest:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    request_type: Optional[str]
    principal_id: Optional[str]
    role_definition_id: Optional[str]
    scope: Optional[str]
    justification: Optional[str]
    schedule_info: Optional[RoleAssignmentScheduleRequestPropertiesScheduleInfo]
    
class RoleEligibilityScheduleRequest:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    request_type: Optional[str]
    principal_id: Optional[str]
    role_definition_id: Optional[str]
    scope: Optional[str]
    justification: Optional[str]
    schedule_info: Optional[RoleEligibilityScheduleRequestPropertiesScheduleInfo]

class RoleManagementPolicy:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    scope: Optional[str]
    display_name: Optional[str]
    description: Optional[str]
    rules: Optional[List[RoleManagementPolicyRule]]

Access Review Types

class AccessReviewScheduleDefinition:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    display_name: Optional[str]
    description: Optional[str]
    settings: Optional[AccessReviewScheduleSettings]
    reviewers: Optional[List[AccessReviewReviewer]]
    instances: Optional[List[AccessReviewInstance]]

class AccessReviewInstance:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    status: Optional[str]
    start_date_time: Optional[datetime]
    end_date_time: Optional[datetime]
    reviewers: Optional[List[AccessReviewReviewer]]

class AccessReviewDecision:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    decision: Optional[str]
    justification: Optional[str]
    reviewed_date_time: Optional[datetime]
    principal: Optional[AccessReviewDecisionPrincipal]

Alert Types

class Alert:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    alert_definition_id: Optional[str]
    scope: Optional[str]
    alert_incidents: Optional[List[AlertIncident]]
    last_scanned_date_time: Optional[datetime]

class AlertConfiguration:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    alert_definition: Optional[AlertDefinition]
    scope: Optional[str]
    is_enabled: Optional[bool]

class AlertIncident:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    alert_incident_id: Optional[str]
    alert_id: Optional[str]
    state: Optional[str]
    reason: Optional[str]

Constants and Enumerations

class PrincipalType:
    USER = "User"
    GROUP = "Group"
    SERVICE_PRINCIPAL = "ServicePrincipal"
    FOREIGN_GROUP = "ForeignGroup"
    DEVICE = "Device"

class RequestType:
    ADMIN_ASSIGN = "AdminAssign"
    ADMIN_REMOVE = "AdminRemove"
    ADMIN_UPDATE = "AdminUpdate"
    ADMIN_EXTEND = "AdminExtend"
    ADMIN_RENEW = "AdminRenew"
    SELF_ACTIVATE = "SelfActivate"
    SELF_DEACTIVATE = "SelfDeactivate"
    SELF_EXTEND = "SelfExtend"
    SELF_RENEW = "SelfRenew"

class AccessReviewResult:
    APPROVE = "Approve"
    DENY = "Deny"
    NOT_REVIEWED = "NotReviewed"
    DONT_KNOW = "DontKnow"
    
class AlertSeverity:
    HIGH = "High"
    MEDIUM = "Medium"
    LOW = "Low"