azure pim assignment type

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Activate my Azure resource roles in Privileged Identity Management

• 5 contributors

Use Microsoft Entra Privileged Identity Management (PIM), to allow eligible role members for Azure resources to schedule activation for a future date and time. They can also select a specific activation duration within the maximum (configured by administrators).

This article is for members who need to activate their Azure resource role in Privileged Identity Management.

As of March 2023, you may now activate your assignments and view your access directly from blades outside of PIM in the Azure portal. Read more here .

When a role is activated, Microsoft Entra PIM temporarily adds active assignment for the role. Microsoft Entra PIM creates active assignment (assigns user to a role) within seconds. When deactivation (manual or through activation time expiration) happens, Microsoft Entra PIM removes the active assignment within seconds as well.

Application may provide access based on the role the user has. In some situations, application access may not immediately reflect the fact that user got role assigned or removed. If application previously cached the fact that user does not have a role – when user tries to access application again, access may not be provided. Similarly, if application previously cached the fact that user has a role – when role is deactivated, user may still get access. Specific situation depends on the application’s architecture. For some applications, signing out and signing back in may help get access added or removed.

Prerequisites

Activate a role.

Steps in this article might vary slightly based on the portal you start from.

When you need to take on an Azure resource role, you can request activation by using the My roles navigation option in Privileged Identity Management.

PIM is now available in the Azure mobile app (iOS | Android) for Microsoft Entra ID and Azure resource roles. Easily activate eligible assignments, request renewals for ones that are expiring, or check the status of pending requests. Read more below

Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator .

Browse to Identity governance > Privileged Identity Management > My roles .

Select Azure resource roles to see a list of your eligible Azure resource roles.

In the Azure resource roles list, find the role you want to activate.

Select Activate to open the Activate page.

If your role requires multifactor authentication, select Verify your identity before proceeding . You only have to authenticate once per session.

Select Verify my identity and follow the instructions to provide additional security verification.

If you want to specify a reduced scope, select Scope to open the Resource filter pane.

It's a best practice to only request access to the resources you need. On the Resource filter pane, you can specify the resource groups or resources that you need access to.

If necessary, specify a custom activation start time. The member would be activated after the selected time.

In the Reason box, enter the reason for the activation request.

Select Activate .

If the role requires approval to activate, a notification will appear in the upper right corner of your browser informing you the request is pending approval.

Activate a role with ARM API

Privileged Identity Management supports Azure Resource Manager (ARM) API commands to manage Azure resource roles, as documented in the PIM ARM API reference . For the permissions required to use the PIM API, see Understand the Privileged Identity Management APIs .

To activate an eligible Azure role assignment and gain activated access, use the Role Assignment Schedule Requests - Create REST API to create a new request and specify the security principal, role definition, requestType = SelfActivate and scope. To call this API, you must have an eligible role assignment on the scope.

Use a GUID tool to generate a unique identifier that will be used for the role assignment identifier. The identifier has the format: 00000000-0000-0000-0000-000000000000.

Replace {roleAssignmentScheduleRequestName} in the below PUT request with the GUID identifier of the role assignment.

For more details on managing eligible roles for Azure resources, see this PIM ARM API tutorial .

The following is a sample HTTP request to activate an eligible assignment for an Azure role.

Request body

Status code: 201

View the status of your requests

You can view the status of your pending requests to activate.

Open Microsoft Entra Privileged Identity Management.

Select My requests to see a list of your Microsoft Entra role and Azure resource role requests.

Scroll to the right to view the Request Status column.

Cancel a pending request

If you do not require activation of a role that requires approval, you can cancel a pending request at any time.

Select My requests .

For the role that you want to cancel, select the Cancel link.

Deactivate a role assignment

When a role assignment is activated, you'll see a Deactivate option in the PIM portal for the role assignment. Also, you can't deactivate a role assignment within five minutes after activation.

Activate with Azure portal

Privileged Identity Management role activation has been integrated into the Billing and Access Control (AD) extensions within the Azure portal. Shortcuts to Subscriptions (billing) and Access Control (AD) allow you to activate PIM roles directly from these blades.

From the Subscriptions blade, select “View eligible subscriptions” in the horizontal command menu to check your eligible, active, and expired assignments. From there, you can activate an eligible assignment in the same pane.

In Access control (IAM) for a resource, you can now select “View my access” to see your currently active and eligible role assignments and activate directly.

By integrating PIM capabilities into different Azure portal blades, this new feature allows you to gain temporary access to view or edit subscriptions and resources more easily.

Activate PIM roles using the Azure mobile app

PIM is now available in the Microsoft Entra ID and Azure resource roles mobile apps in both iOS and Android.

To activate an eligible Microsoft Entra role assignment, start by downloading the Azure mobile app ( iOS | Android ). You can also download the app by selecting Open in mobile from Privileged Identity Management > My roles > Microsoft Entra roles.

Open the Azure mobile app and sign in. Click on the ‘Privileged Identity Management’ card and select My Azure Resource roles to view your eligible and active role assignments.

Select the role assignment and click on Action > Activate under the role assignment details. Complete the steps to active and fill in any required details before clicking Activate at the bottom.

View the status of your activation requests and your role assignments under ‘My Azure Resource roles’.

Related content

• Extend or renew Azure resource roles in Privileged Identity Management
• Activate my Microsoft Entra roles in Privileged Identity Management

Was this page helpful?

Additional resources

Abou Conde's Blog

Cloud and infra security, assigning azure resource roles in privileged identity management (pim).

• by Abou Conde
• Posted on July 12, 2019 July 11, 2019

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) can manage the built-in Azure resource roles, as well as custom roles, including (but not limited to):

• User Access Administrator
• Contributor
• Security Admin
• Security Manager, and more

Assign a role 

Sign in to Azure portal with a user that is a member of the Privileged Role Administrator role.

Open Azure AD Privileged Identity Management .

If you haven’t started PIM in the Azure portal yet, go to Enabling Azure AD Privileged Identity Management (PIM) .

Click Azure resources .

Use the Resource filter to filter the list of managed resources.

Click the resource you want to manage, such as a subscription or management group.

Under Manage, click Roles to see the list of roles for Azure resources.

Click Add member to open the New assignment pane .

Click Select a role to open the Select a role pane, Click a role you want to assign and then click Select .

The Select a member or group pane opens.

Click a member or group you want to assign to the role and then click Select .

The Membership settings pane opens.

In the Assignment type list, select Active and click ok

PIM for Azure resources provides two distinct assignment types:

• Active assignments don’t require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.
• Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.

Verify that the User is listed as the member of the Active roles.

Share this:

One thought on “ assigning azure resource roles in privileged identity management (pim) ”.

Hi, I was trying to do something where I needed a subscription ID but I don’t have/see one. Would that mean I don’t have the role associated with that subscription? Is that how it works? Thank you for your time.

Leave a comment Cancel reply

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Manage Privileged access groups with Azure AD Privileged Identity Management (Azure AD PIM)

Azure AD Privileged Identity Management allows organizations to manage, monitor, audit access to sensitive Azure resources. One of the main features of PIM is the ability to provide just-in-time (JIT) access to Azure AD and Azure resources. As an example, a user can request to be a Global Administrator for 1 hour. Once a user requests it through the portal, Approver will receive a notification. Then approver can review the request and approve/deny the request based on justifications. Once the request is approved, the user will have Global administrator privileges for one hour. After one hour, the privileges will remove from the user automatically. Instead of individual users, we also can make cloud groups eligible for the Azure AD role assignment. More info about this configuration is available under one of the previous blog post . So far, we had to manage members or owners of these privilege cloud groups using Azure AD, but now we can provide JIT membership to privilege group using Azure AD PIM.

Note : To use Azure AD PIM, you need to have Azure AD Premium P2 licenses. So, make sure you have the relevant license in place before we go ahead with this config.

In my demo environment, I am going to create a new group called “ Temp Administrators “. Then I am going to make it active for Global Administrator role for 3 months. After that configuration, if a user needs to get Global Admin rights, they need to be part of “Temp Administrators” group. I plan to show you how we can manage members of this group using Azure AD PIM.

Create a role-assignable group

As the first step of the configuration, I need to create a cloud group. This group must have the “ Azure AD roles can be assigned to the group ” option turned on. Otherwise, we can’t assign roles to it. To do this,

1. Log in to Azure Portal as Global Administrator 2. Search for Azure Active Directory and click on it 3. Go to Groups and click on + New group

4. In the new form, set Group type to Security . Then provide a name and description for the group. Next, set Azure AD roles can be assigned to the group (Preview) option to Yes . After, click on create to complete the group setup process

Enable privileged access for a group

The next step of the configuration is to enable privileged access for the newly created group. To do that,

1. Go to Azure Active Directory home page 2. Then go to Groups and click on the group we created in the previous section. On the group properties page, click on Privileged access (preview) . Next, click on Enable privileged access button.

Configure role settings

Next, we need to configure the role settings of the group. To do that,

1. Log in to Azure Portal 2. Search for Azure AD Privileged Identity Management and click on it 3. Then click on Privileged access groups (Preview)

4. In there, we should be able to see the group we just created. Click on it. 5. Then in the properties page, click on Settings | Member

6. Next, click on Edit

7. In there we can start changing settings for the role as per requirements. In this demo, I am going to keep Activation maximum duration (hours) to 8 . On activation, I also want to verify Azure MFA . I also like the user to justify the request. Also, the request must be approved by an approver. Once the above settings are in place, I click on the select approvers option and define an approver. At the end, I click on Next: Assignment

8. In the Assignment page, I will keep default settings and click on Next: Notifications

9. In the notification page, we can define who will be notified of different actions. For this demo, I am going to keep the default settings and click on Update to apply the changes.

Make user eligible for the membership

As the next step, we need to decide who is going to be eligible for the group membership. In my demo environment, I have a user called Isaiah Langer and I am going to make him eligible for the group membership. To do that,

1. Go to the Azure AD group we previously created 2. Click on Privileged access (preview) | + Add assignments

3. On the next page select Member under the Select role option. Then click on the No member selected link under Select member(s) and select the eligible user(s). Once settings are in place click on Next .

4. Then make the user eligible and click on Assign .

Assign Global Administrator role to the privileged group

The final step of the configuration is to assign Global Administrator role to the group we created by using Azure AD PIM. To do that,

1. Log in to Azure Portal 2. Search for Azure AD Privileged Identity Management and click on it 3. Then click on Azure AD roles

4. In the next page click on Assignments | + Add assignment

5. Then, select Global Administrators under the Select role . Then assign “ Temp Administrators ” group to the members and click on Next .

6. On the next page, select Active under assignment type . Then select the assignment start date and assignment end d ate. In this demo, I am setting it up for 3 months. Once settings are in place click on assign to complete the configuration process.

This completes the configuration process. The next phase is to do the testing.

To test the configuration, I log in to the Azure portal as Isaiah Langer . Then I went to Azure AD Privileged Identity Management | My roles | Privileged access groups (Preview) . In there we can see the eligible group membership.

To proceed further with testing, click on Activate .

Then in the new window, I am requesting to activate membership for 2 hours. I also provide a reason as it is mandatory.

After I click on Activate, the approver received an email notification regarding the request.

Then I log in to the Azure portal as approver and went to Azure AD Privileged Identity Management| Approve requests | Privileged access groups (Preview) . As expected, I can see the request from Isaiah.

To approve the request, select the request first and then click on Approve .

Once it is approved, I went back to the user and check. Now I can see he got an active assignment.

As expected, the user Isaiah will have Global Administrator rights for 2 hours. After two hours, he will be removed from the “Temp Administrators” group automatically.

I hope now you have a better understanding of how we can manage memberships of privileged groups by using Azure AD PIM . If you have any further questions about this feel free to contact me at [email protected] also follow me on Twitter @rebeladm to get updates about new blog posts.

MASTERING ACTIVE DIRECTORY, THIRD EDITION

• October 2024
• September 2024
• August 2024
• October 2023
• December 2022
• November 2022
• January 2022
• December 2021
• November 2021
• September 2021
• January 2021
• December 2020
• November 2020
• October 2020
• September 2020
• August 2020
• February 2020
• January 2020
• December 2019
• November 2019
• October 2019
• September 2019
• August 2019
• February 2019
• January 2019
• December 2018
• November 2018
• October 2018
• September 2018
• August 2018
• February 2018
• January 2018
• December 2017
• November 2017
• October 2017
• September 2017
• August 2017
• February 2017
• January 2017
• December 2016
• October 2016
• September 2016
• August 2016
• February 2016
• January 2016
• November 2015
• October 2015
• September 2015
• August 2015
• February 2015
• January 2015
• December 2014
• November 2014
• October 2014
• September 2014
• January 2014

Related posts

Step-by-step guide: configure entra id lifecycle workflow to use custom security attributes, step-by-step guide: configure entra id lifecycle workflow to trigger mover task on user profile changes, step-by-step guide: how to setup entra id restricted management administrative units , become a trendsetter.

Sign up and get the best of RebelAdmin, tailored for you.

Subscribe Leave this field empty if you're human:

Thank you for a practical, step- by -step guide on this. You saved me time in research.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Don’t Miss

About rebeladmin, useful links, microsoft defender for identity part 05 – mdi sensor installation, step-by-step guide to azure bastion ip-based connection, automatic dhcp server backup, microsoft defender for identity part 04 – network requirements, step-by-step guide to azure private endpoints (powershell guide).

Terence Luk

Tackling the daily challenges of technology... one project at a time.

Monday, April 5, 2021

Configuring azure privileged identity management (pim).

One of the features I’ve liked a lot when I was able to work with clients who had Azure AD Premium 2 or Enterprise Mobility + Security (EMS) E5 licenses is the Privileged Identity Management (PIM). This feature has a lot of offer when it comes to one of the most neglected operations that every organization should have:

managing privileged access. In this post, I will describe attempt to describe the benefits of it as well as demonstrate some of its features.

What is Azure Privileged Identity Management (PIM)?

Let me begin by saying that Microsoft provides an excellent write up and video about PIM, which can be found here:

What is Azure AD Privileged Identity Management? https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

When I am asked this question, I usually provide the following:

The short and condensed explanation of Azure’s Privileged Identity Management (PIM) is that provides you with the tools to manage, control, monitor, and audit access to resources in the organization. An example of this could be a consultant is engaged in a project with your organization and I need administrative rights in Azure because I need to add or manage another domain so this I am granted the global admin role but the role then never gets removed. The use of a consultant can easily be interchanged with any administrator on the team who was granted the global admin role and never gets removed, which is very similar to, say, the Enterprise Admins or Domain Admins group in an on-premise Active Directory. Another example could be that we do not want administrators to have persistent administrative permissions whenever they log into Azure so we would like them to have the ability to elevate their permissions. Lastly, another example could be that there is suspicion the account used to sign up for the Azure tenant had its password reset at some point and is being used so an audit of the history is required.

The following are the key features taken straight from the Microsoft documentation:

• Provide just-in-time privileged access to Azure AD and Azure resources
• Assign time-bound access to resources using start and end dates
• Require approval to activate privileged roles
• Enforce multi-factor authentication to activate any role
• Use justification to understand why users activate
• Get notifications when privileged roles are activated
• Conduct access reviews to ensure users still need roles
• Download audit history for internal or external audit

Leveraging the features above can allow any organization to better manage privileged access to Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.

Active vs Eligible Roles for Privileged Identity Management

With Azure Privileged Identity Management, there are two types of assignments that can be made to roles and they are:

• Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
• Active assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.

It is generally advised to use eligible as much as you can so you can avoid having an account that always has permissions. If an account needs to have the an active assignment for scenarios such as hiring a consultant for a full day of review, specify an active assignment with an assignment start and end date/time.

Licensing Requirements

The official Microsoft provided licensing requirements for using PIM can be found here:

License requirements to use Privileged Identity Management

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-requirements

To summarize, if you are strictly purchasing Azure AD Premium P2 licenses for PIM then you will only need as many employees that will be performing the following tasks:

• Users assigned as eligible to Azure AD or Azure roles managed using PIM
• Users who are assigned as eligible members or owners of privileged access groups
• Users able to approve or reject activation requests in PIM
• Users assigned to an access review
• Users who perform access reviews

Azure AD Premium P2 licenses are not required for the following tasks:

• No licenses are required for users who set up PIM, configure policies, receive alerts, and set up access reviews.

Examples of usage scenarios can be found here: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-requirements#example-license-scenarios

The following is what happens with the license examples:

If an Azure AD Premium P2, EMS E5, or trial license expires, Privileged Identity Management features will no longer be available in the directory:

• Permanent role assignments to Azure AD roles will be unaffected.
• The Privileged Identity Management service in the Azure portal, as well as the Graph API cmdlets and PowerShell interfaces of Privileged Identity Management, will no longer be available for users to activate privileged roles, manage privileged access, or perform access reviews of privileged roles.
• Eligible role assignments of Azure AD roles will be removed, as users will no longer be able to activate privileged roles.
• Any ongoing access reviews of Azure AD roles will end, and Privileged Identity Management configuration settings will be removed.
• Privileged Identity Management will no longer send emails on role assignment changes.

Note that Azure AD Premium P2 also provides the Identity protection feature for accounts ( https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection ), which would enable the following:

• Vulnerabilities and risky accounts detection
• Risk events investigation
• Risk-based Conditional Access policies

If these features are designed for the organization then everyone will need to be licensed.

With an overview of PIM provided, I will proceed to demo each of the key features provided in the Microsoft documentation:

I find that many administrators typically skip through the Deploy PIM section of the Microsoft documentation ( https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-deployment-plan ) as the section does not actually contain any configuration instructions but I’d like to stress how important it is to read through all the items that Microsoft outlines to successfully plan for a PIM deployment. I would highly recommend going through the documentation before jumping into the next configuration section.

No more “Consent to PIM”

Those who have worked with PIM in the past or written the older AZ-500 exam may remember how administrators need to “consent to PIM” prior to using the feature. The process of consenting to PIM has been removed so there is no need to perform this step anymore and the console now has the following banner inserted into the Quick start page:

You are using the updated Privileged Identity Management experience for Azure AD roles.

The changes that Microsoft made as per the documentation https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started#prerequisites is as such:

When a user who is active in a privileged role in an Azure AD organization with a Premium P2 license goes to Roles and administrators in Azure AD and selects a role (or even just visits Privileged Identity Management):

• We automatically enable PIM for the organization
• Their experience is now that they can either assign a "regular" role assignment or an eligible role assignment

When PIM is enabled it doesn't have any other effect on your organization that you need to worry about. It gives you additional assignment options such as active vs eligible with start and end time. PIM also enables you to define scope for role assignments using Administrative Units and custom roles. If you are a Global Administrator or Privileged Role Administrator, you might start getting a few additional emails like the PIM weekly digest. You might also see MS-PIM service principal in the audit log related to role assignment. This is an expected change that should have no effect on your workflow.

Start Using PIM with Wizard

If you’re new to PIM and need to quickly start using the features with minimal configuration, using the security wizard ( https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-security-wizard ) would be a great start. The Discovery and insights (Preview) feature in the Privileged Identity Management blade provides the easy to use wizard to begin leveraging PIM features:

Configuring a PIM Administrator with an Active Assignment

If you already have a deployment plan created then our first step would be to assign the planned account to Privileged Role Administrator role for PIM administration. Navigate to Azure AD roles under Manage :

Then Roles and type in Privileged Role Administrator to list the PIM role, then select it:

Once in the properties of the role, proceed to use the Add assignments button to add a user into the role. I will add my own account for the purpose of this example.

**Note that as of the time of writing this post, the Microsoft documentation dated on 08/06/2020 specifies that we should click on the Add Member button ( https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-give-access-to-pim#delegate-access-to-manage-pim ) but this button is no longer available on 4/3/2021.

I will configure this assignment to be active and permanently assigned but note that it is generally advised that most active assignments should be configured with a start and end time/date if possible.

The account specified should now be displayed under the Active assignments tab:

Navigating back to the Privileged Role Management page and selecting My roles :

Then under Azure AD roles and Active Assignments should display the roles I am currently a part of (Global Administrator and Privileged Role Administrator):

Note that the act of granting my account the Privileged Role Administrator role will send the following notification to my email address about the assignment.

Privileged Identity Management Alerts

You can instantly view a list of issues as identified by PIM by clicking on the Alerts under the Manage settings:

Note the 3 alerts that are raised for this environment:

• Roles don’t require multi-factor authentication for activation
• Potential stale accounts in a privileged role
• There are too many global administrators

The first two are fairly obvious while the second one lists accounts that have not changed their password in the past 90 days and clicking into the line item will bring up the details:

Clicking on the Settings button will bring us into configuration set for identifying these risks:

You can click on each of the alerts to see what configuration changes you can make as well as whether to disable them:

Assigning a User with Eligible Role (J.I.T)

With the initial configuration and walk through of the alerts out of the way, let’s proceed to assigning a user with the eligible role for the Global Admin role. Begin by navigating to Azure AD roles under Manage :

Then Roles and type in Global Admins to list the PIM role, then select it:

Click on Add assignments :

I’ll be using a account named John Smith as the example:

In the Setting tab, we will configure the Assignment type as Eligible with Permanently eligible disabled and a Assignment starts and Assignment ends date/time specified to be one day:

Note that the Assignment starts and Assignment ends date/time cannot exceed more than a year or the message Time duration specified exceeds maximum allowed. will be displayed:

The role assignment should now be displayed under the Eligible assignments tab:

Note that upon completion of assignment John Smith the eligible role, notification emails such as the one below would have been sent to the admins.

Testing a User with Eligible Role

With the eligible role assigned to John Smith, we can log into the Azure portal and confirm that he does not have the ability to create new users or reset passwords as he is eligible but not a Global Admin yet:

We can then navigate to the Privileged Identity Management section, click on Azure AD roles under Activate , then see that we can eligible for the Global Administrator role with the option of activating it:

**Note that there is an end time for this eligible assignment as how it was configured in the previous section.

We’ll notice that attempting to activate the role indicates we are prompted with:

Additional verification required. Click to continue

The reason why this prompt is displayed is because this account does not have MFA set up and the default settings for activation is to have MFA setup, which I will show a bit later.

Proceed to set up MFA:

Once MFA is successfully set up, the following activation options will be displayed. Note how there are various parameters we can configure such as the activation start time, the duration, and a reason, which is required for activation:

For the purpose of this example, I will set the duration to only 2 hours mimicking the scenario that I only need 2 hours of elevated permissions. My reason for the activation will be to: Test Global Admin activation .

The activation proceeds through 3 stages and will complete fairly quickly (you don’t need to walk away from the computer):

Upon completion of activation, the Eligible assignments tab will refresh and display the following message:

You have just activated a role. Click here to view your active roles

Clicking the Click here to view your active roles will change the table to Active assignments which will display the activated state. Note the End time listed is 2 hours from when I activated it:

The test John Smith user will now be able to create accounts:

Upon activating the Global Admin assignment, notification emails such as the one below would have been sent to the admins:

When the duration has expired an email will be sent:

Activation Role Settings Configuration

It is possible to customize the activation role settings as demonstrated in the previous activation by navigating to Azure AD roles under Manage :

Roles and type in Global Admins to list the PIM role, then select it:

Click on Role settings to list the parameters that we can edit:

The configuration settings are partitioned into tabs, which I have combined into one screenshot.

The Activation tab allows us to:

• Change the activation maximum duration in hours, which defaults to 8 and is customizable during the activation process
• Requires the account to have MFA setup – why John Smith had to set up MFA
• Require a justification – why we had to enter a reason
• Require ticket information on activation – this will provide two fields – 1. ticket number, 2. ticketing system link
• Require approval to activate – One of the features I enjoy most as this will require another administrator to interactively approve the activation from the Azure portal

The Assignment tab allows us to:

• Allow permanent eligible assignment – this can be changed to limit the amount of time an eligible assignment can be
• Allow permanent active assignments after – this enables or disables permanent active assignment and if it is disabled, the active assignment can be force to expire after a period of time (1 year, 6 months, 3m months, 1 month, 15 days)
• Require Azure MFA on active assignment – this will force MFA for active assignments
• Require justification on active assignment – forces a reason to be entered

The Notification tab allows us to specify various notification settings for when activation or assignments take place.

These configuration settings are set independently for each role.

PIM Auditing

To perform an audit of on the activities of privileged accounts, navigate to Azure AD roles under Manage :

Select Resource Audit under Activity and you will see the actions of PIM administrators as well as users who have activated their eligibility for configured roles:

Clicking on a line item will bring the details of the action:

Navigating to the My audit section will display all the PIM activities the account logged in has made:

Creating an Access Review

You can create an access review to list the specific PIM activities of a role such Global Admin by navigating to Azure AD roles under Manage :

Then Access reviews and select New :

Then configure the review as required:

The frequency can be set to the following:

Note the Upon completion settings and Advanced settings that are available:

A review will be created in the Access reviews :

Clicking into the report will provide information about the PIM activity for Global Admins:

Hope this gives anyone looking for information about PIM an overview and demonstration of what it has to offer.

Such detail is hard to come by. Crystal clear explanation ,flow and concepts.

Post a Comment