question

BenjaminBerglund-3718 avatar image
0 Votes"
BenjaminBerglund-3718 asked BenjaminBerglund-3718 commented

PIM not working

I have a customer that wants to start using PIM. At some point someone must have activated PIM for the tenant because the activate option is not available anymore. The thing is that there is no user in the tenant who has the Privileged Role Administrator. My understanding is that the first admin user who activates PIM for the tenant should have gotten the role.
I have now assigned the Privileged Role Administrator to several admin users including my own (Active Directory Premium P2 license on the user), but even without elevating the role I am still able to assign new PIM roles. In short, even without the Privileged Role Administrator role it is possible to add new assignments.
Anyone who can help me figure out what is going on? Is it possible to deactive PIM for a tenant and reactivate it again?

azure-ad-privileged-identity-management
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@benjaminberglund-3718 Thanks for using Microsoft Q&A !!
Are you saying that you are able to assign the roles through Azure AD PIM from Azure Portal without Privileged Role Administrator permissions ? Can you please go to Azure portal > Azure AD PIM > Azure AD Roles > Roles and select "Previleged Role Administrator" role to see the current assignee's list. (See screenshot below)

95279-image.png
95349-image.png

Thanks
Saurabh

0 Votes 0 ·
image.png (45.0 KiB)
image.png (47.6 KiB)

@SaurabhSharma-msft that is correct, there are no "Active assignments" for the "Privileged Role Administrator", only the eligible roles that I have assigned my own admin users and a couple of other users.
I have been working with PIM for several years now with other customers so I am very familiar with it, never had this issue before. I have heard that it should be possible to deactivate PIM for a tenant, but I have not been able to find any information about that. My guess is it has to be deactivated and reactivated.

0 Votes 0 ·

@benjaminberglund-3718 ok. got it. Unfortunately, we cannot disable PIM from the portal. Can you please send an email to azcommunity[at]microsoft[dot]com with your subscription id and tenant id with this Q&A thread link and subject as "Attn: Saurabh' and I will try to get it disabled from backend.

Thanks
Saurabh

0 Votes 0 ·

Hi @benjaminberglund-3718,
I am following up as I haven't received your email yet.

Thanks
Saurabh

0 Votes 0 ·

Hi @SaurabhSharma-msft, sorry for the delay here, I have had an extended weekend here. I have sent you an email now.

0 Votes 0 ·

Actually, I am now seeing the same issue with another customer. I only have the Global Administrator role and yet I am able to add new assignments, for instance I was able to give my own user the "Privileged Role Administrator". I think maybe this issue must be looked into on a bigger scale than just 1 tenant. I have checked 4 different customer tenants now and all have the same behavior, it seems that as soon as you have the Global Administrator role you are also able to assign new PIM roles. Is this maybe a new feature from Microsoft that I have not heard about? Doesn't really make sense since we still have the Privileged Role Administrator role in play.

0 Votes 0 ·

1 Answer

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered BenjaminBerglund-3718 commented

Hi @BenjaminBerglund-3718,

I have received confirmation from product group that both PRA and GA can manage PIM now and this is expected behavior. This change was done last year. Please refer to the documentation.

Please let me know if you have any questions.

Thanks
Saurabh


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This function is described a bit more in clear text here, https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure#who-can-do-what.

Who can do what?
For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged role administrator or Global administrator role can manage assignments for other administrators. You can grant access to other administrators to manage Privileged Identity Management. Global Administrators, Security Administrators, Global readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.


0 Votes 0 ·