Assign eligibility for a privileged access group (preview) in Privileged Identity Management

Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, can help you manage the eligibility and activation of assignments to privileged access groups in Azure AD. You can assign eligibility to members or owners of the group.

When a role is assigned, the assignment:

• Can't be assigned for a duration of less than five minutes
• Can't be removed within five minutes of it being assigned

Note

Every user who is eligible for membership in or ownership of a privileged access group must have an Azure AD Premium P2 license. For more information, see License requirements to use Privileged Identity Management.

Assign an owner or member of a group

Follow these steps to make a user eligible to be a member or owner of a privileged access group.

1. Sign in to the Azure AD admin center with a user in the Global Administrator role, the Privileged Role Administrator role, or the group Owner role.

2. Select Groups and then select the role-assignable group you want to manage. You can search or filter the list.

   

3. Open the group and select Privileged access (Preview).

   

4. Select Add assignments.

   

5. Select the members or owners you want to make eligible for the privileged access group.

   

6. Select Next to set the membership or ownership duration.

   

7. In the Assignment type list, select Eligible or Active. Privileged access groups provide two distinct assignment types:

   • Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.

     Important

     For privileged access groups used for elevating into Azure AD roles, Microsoft recommends that you require an approval process for eligible member assignments. Assignments that can be activated without approval can leave you vulnerable to a security risk from another administrator with permission to reset an eligible user's passwords.

   • Active assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.

8. If the assignment should be permanent (permanently eligible or permanently assigned), select the Permanently checkbox. Depending on your organization's settings, the check box might not appear or might not be editable. For more information, check out the Configure privileged access group settings article.

9. When finished, select Assign.

10. To create the new role assignment, select Add. A notification of the status is displayed.

    

Update or remove an existing role assignment

Follow these steps to update or remove an existing role assignment.

1. Sign in to Azure AD with Global Administrator or group Owner permissions.

2. Select Groups and then select the role-assignable group you want to manage. You can search or filter the list.

   

3. Open the group and select Privileged access (Preview).

   

4. Select the role that you want to update or remove.

5. Find the role assignment on the Eligible roles or Active roles tabs.

   

6. Select Update or Remove to update or remove the role assignment.

   For information about extending a role assignment, see Extend or renew Azure resource roles in Privileged Identity Management.

Next steps

• Extend or renew Azure resource roles in Privileged Identity Management
• Configure Azure resource role settings in Privileged Identity Management
• Assign Azure AD roles in Privileged Identity Management