services / Azure / PIM role eligibility schedule request
A role eligibility schedule request is the PIM object used to create or query eligibility for a principal to activate a privileged RBAC role at a scope. Writing it makes a principal eligible to elevate into a role.
Eligibility is one activation step away from active privileged access, so these objects govern privilege-escalation pathways into the subscription/tenant.
Microsoft.Authorization/roleEligibilityScheduleRequests/write
Creating this request makes a controlled principal eligible to activate a privileged role via PIM, establishing a durable privilege-escalation and persistence pathway.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security