Innovate safely

Sheriff

Automate Microsoft Entra PIM to secure your enterprise

Sheriff enables you to automate the configuration and operation of Microsoft Entra Privileged Identity Management (PIM) across your enterprise, secure by default thanks to some clever features Sheriff adds.

GET STARTED LEARN MORE
Sheriff logo
Sheriff

Benefits

Single source of truth

Maintain a single source of truth for access config across your entire Azure estate.

Detect and correct misconfigurations

Stateless operation means Sheriff will detect and correct misconfigurations automatically.

Operate secure by default

Clever features in Sheriff, like role management policy inheritance and defaults, enable you to operate secure by default.

Reduce operating costs

Operate at reduced cost by using Sheriff to automate time-intensive manual management.

Automated

Sheriff is made to run in CI

Sheriff is primarily a command-line (CLI) tool, made to run on any modern CI system, including Azure DevOps, Jenkins, GitHub Actions, GitLab CI/CD, Bamboo, CircleCI, Travis CI, TeamCity and Octopus Deploy. If you're using Sheriff on Azure DevOps, the Sheriff extension makes it even easier. Of course, you can run it locally, too, which is handy for using import or plan.

CI/CD logo
Sheriff

Features

Active and eligible assignments

Manage active and eligible role assignments for users and groups, including start and end dates, at any scope.

Role management policies

Manage role management policies to require approval to activate privileged roles, enforce multifactor authentication and more.

Policy inheritance and defaults

Overcome limitations in Microsoft Entra PIM with Sheriff’s role management policy inheritance and defaults.

Import existing config

Import your existing config to immediately establish a single source of truth.

Accredited

Sheriff has been created by Microsoft Azure experts

We are a platform engineering company. Our directors have been building in Microsoft Azure since 2012. We're also a Microsoft Solutions Partner. Sheriff was born from the work we do with our customers to enable them to operate predictably and innovate safely.

Microsoft Solutions Partner logo
Sheriff manages

Azure resource roles

azure-resourcesSheriff manages active and eligible role assignments for built-in Azure resource roles like Reader, Contributor and Owner.

And it’ll manage custom roles, too. You can have up to 5,000 of those per tenant.

Use Sheriff to manage assignments and role management policies for users and groups at subscription, resource group and resource scopes.

See Assign Azure resource roles in Privileged Identity Management for more information.

Code example 
# config/groups/CSG-RBAC-Engineers.yml
---
subscription:
  active:
    - roleName: Reader
  eligible:
    - roleName: Contributor
    
resourceGroups:
  storageaccount-rg:
    eligible:
      - roleName: Storage Blob Data Reader
        endDateTime: 2024-11-30T18:00:00
Trusted

FTSE 100 companies use Sheriff

M&G use Sheriff to configure and operate Microsoft Entra PIM for Azure resource roles, Microsoft Entra roles and Groups across multiple business units. It allows them to use Git as their single source of truth for access configuration across Azure and beyond, combining the benefits of an as-code approach with a single unified configuration model that's easy to understand and maintain.

mandg-logo-framed
Sheriff manages

Microsoft Entra roles

entra-logoSheriff manages active and eligible role assignments for built-in Microsoft Entra roles like Application Developer, Security Operator and Global Administrator.

And it’ll manage custom roles, too. You can have up to 5,000 of those per tenant.

Use Sheriff to manage assignments and role management policies for users and groups at directory, administrative unit, application and service principal scopes.

See Assign Microsoft Entra roles in Privileged Identity Management for more information.

Code example 
# config/users/sally@frontierhq.com
---
directory:
  eligible:
    - roleName: Global Administrator
    
applications:
  14739921-46fd-4faf-9d77-caaaf19fbda8: # SonarQube
    active:
      - roleName: Application Developer
    eligible:
      - roleName: Application Administrator
      
administrativeUnits:
  2a3c3347-e294-4350-aec5-6cab3323599c: # Engineering
    eligible:
      - roleName: Helpdesk Administrator
Cross-platform

Run Sheriff on any platform

Sheriff runs on Windows, Linux and MacOS. If you're using Sheriff on Azure DevOps, the Sheriff extension makes it even easier to install and run Sheriff.

Sheriff manages

Groups (PIM-enabled)

azure-groupsSheriff manages active and eligible role assignments for PIM-managed group roles like Member and Owner.

Use Sheriff to manage assignments and role management policies for users and groups for PIM-enabled groups.

See Assign eligibility for a group in Privileged Identity Management for more information.

Code example 
# config/groups/CSG-RBAC-SRE.yml
---
managedGroups:
  CSG-App-OpenShiftUser:
    active:
      - roleName: Member
      
  CSG-App-OpenShiftClusterAdmin:
    eligible:
      - roleName: Member
      
  CSG-App-SonarQubeAdmin:
    eligible:
      - roleName: Member
      - roleName: Owner
EBOOK

Sheriff makes PIM even better

Get our free ebook on how you can level up your B2B SaaS content marketing

pim
Sheriff manages

Role management policies

azure-backlogSheriff manages activation, assignment and notification role management policy rules for complete governance coverage.

These rules cover things like whether multi-factor authentication (MFA) is required to activate an eligible role or group membership; who receives alerts when a role is activated; or whether you can create permanent role assignments, group ownership, or group memberships.

Sheriff extends out-the-box PIM role management policy features to make it safer and easier to operate at scale, such as policy inheritance and defaults. These allow for the creation global or role specific defaults, reducing the management overhead of PIM and establishing a secure by default operating model.

Use Sheriff to manage role management policy rules for Azure resource roles, Microsoft Entra roles and Groups (PIM-enabled).

See Start using Privileged Identity Management for more information.

Code example 
# config/policies/Contributor.yml
---
default:
  - rulesetName: StandardRules
resourceGroups:
  storageaccount-rg:
    - rulesetName: RelaxedRules

# config/policies/rulesets/StandardRules.yml
---
rules:
  - id: Expiration_EndUser_Assignment
    patch:
      maximumDuration: PT1H
  - id: Enablement_EndUser_Assignment
    patch:
      enabledRules:
        - Justification
        - MultiFactorAuthentication
        - Ticketing

# config/policies/rulesets/RelaxedRules.yml
---
rules:
  - id: Expiration_EndUser_Assignment
    patch:
      maximumDuration: PT4H
  - id: Enablement_EndUser_Assignment
    patch:
      enabledRules:
        - MultiFactorAuthentication
Sheriff

FAQs

Where does Sheriff run?

Sheriff is primarily a command-line (CLI) tool that can be run on Windows, Linux and MacOS. It's been made to run on any modern CI system, including Azure DevOps, Jenkins, GitHub Actions, GitLab CI/CD, Bamboo, CircleCI, Travis CI, TeamCity and Octopus Deploy. If you're using Sheriff on Azure DevOps, the Sheriff extension makes it even easier. Of course, you can run it locally, too, which is handy for using import or plan.

How does Sheriff authenticate?

Sheriff uses the Azure Identity module for Go to authenticate to Azure and Microsoft Entra. Azure Identity allows for a number of different authentication mechanisms to be used, including environment variables, managed identity, workload identity and Azure CLI authentication.

See Azure Identity module for Go for more information.

What Microsoft licenses are required?

You need either Microsoft Entra ID Governance licenses or Microsoft Entra ID P2 licenses to use PIM - and therefore Sheriff - and all of its settings.

See Microsoft Entra ID Governance licensing fundamentals for more information.

What happens if someone changes PIM config outside of Sheriff?

Sheriff is stateless, which means it compares roles assignments in Azure and Microsoft Entra with what's been defined in configuration every time it runs. This means when it finds something either not in or different to that configuration - known as configuration drift - it corrects it. Detecting and correcting misconfigurations like this is one of Sheriff's most valuable features.

Can I exclude certain users or groups from being managed by Sheriff?

Yes, Sheriff includes support for excluding specific users or groups from being managed by Sheriff, which can be useful for example when service accounts that have role assignments managed elsewhere are present in the subscriptions and tenants where Sheriff is being used.

Sheriff

Pricing

Azure resource roles

£1,000/year

per subscription

Only charged for first 20 subscriptions

  • Checkmark Azure resource roles
  • Checkmark Role management policies
  • Checkmark Policy inheritance and defaults
  • Checkmark Free upgrades
  • Checkmark Business hours support
GET STARTED

Microsoft Entra roles + Groups

£3,000/year

for first tenant

£1,000/year

for additional tenants

Only charged for first 3 tenants

  • Checkmark Microsoft Entra roles
  • Checkmark Groups (PIM-enabled)
  • Checkmark Role management policies
  • Checkmark Policy inheritance and defaults
  • Checkmark Free upgrades
  • Checkmark Business hours support
GET STARTED

Unlimited

£24,950/year

Flat fee for Azure resource roles, Microsoft Entra roles and Groups across unlimited subscriptions and tenants.

  • Checkmark Azure resource roles
  • Checkmark Microsoft Entra roles
  • Checkmark Groups (PIM-enabled)
  • Checkmark Role management policies
  • Checkmark Policy inheritance and defaults
  • Checkmark Free upgrades
  • Checkmark Business hours support
GET STARTED
Sheriff

Get started with a free trial

Fill in your details below and we'll get in touch with all the details you need to start securing your enterprise with Sheriff.
Frontier

Find out more

Products

Automate and simplify

Sometimes there is a right answer. Our products automate and simplify the building blocks you just need to get right.


View products
Solutions

Enable and accelerate

Standard solutions, advanced engineering. We deploy industry recognised solutions that enable and accelerate.


View solutions
Who we are

A platform engineering company

We enable organisations to operate predictably and innovate safely by providing technology assurance, automated.


Learn more

Operate predictably. Innovate safely.

LET'S CHAT