Giving access to manage Azure AD Privileged Identity Management
The global administrator who enables Azure AD Privileged Identity Management (PIM) for an organization automatically get role assignments and access to PIM. No one else gets write access by default, though, including other global administrators. Other global adminstrators, security administrators, and security readers have read-only access to Azure AD PIM. To give access to PIM, the first user can assign others to the Privileged role administrator role. This assignment must be done from within PIM itself, and cannot be changed via PowerShell or other portals.
Managing Azure AD PIM requires Azure MFA. Since Microsoft accounts cannot register for Azure MFA, a user who signs in with a Microsoft account cannot access Azure AD PIM.
Make sure there are always at least two users in a privileged role administrator role, in case one user is locked out or their account is deleted.
Give another user access to manage PIM
- Sign in to the Azure portal and select the Azure AD Privileged Identity Management app on the dashboard.
Select Manage privileged roles > Privileged role administrator > Add.
On the Add managed users blade, step 1 is already complete. Select step 2, Select users and search for the user you want to add.
- Select the user from the search results, and click Done.
Click OK to save your selection. The user you have selected will appear in the list of Privileged role administrators.
- Whenever you assign a new role to someone, they are automatically set up as eligible to activate the role. If you want to make them permanent in the role, click the user in the list. Select make perm in the user information menu.
- Send the user a link to Getting started with Azure AD Privileged Identity Management.
Remove another user's access rights for managing PIM
Before you remove someone from the privileged role administrator role, always make sure there will still be two users assigned to it.
- In the PIM dashboard, click on the role Privileged role administrator. The list of users currently in that role will be displayed.
- Click on the user in the user list.
- Click on Remove. You are presented with a confirmation message.
- Click Yes to remove the user from the role.
- Get started with Azure Privileged Identity Management
- Roles in Azure AD PIM
- The security wizard
- How to give other admins access to Privileged Identity Management
- How to add or remove a user role
- How to activate or deactivate a role
- How to change or view the default activation settings for a role
- How to configure security alerts
- How to start an access review
- How to perform an access review
- How to complete an access review
- How to require MFA
- How to use the audit log