Bring privileged access groups (preview) into Privileged Identity Management

In Azure Active Directory (Azure AD), you can assign Azure AD built-in roles to cloud groups to simplify how you manage role assignments. To protect Azure AD roles and to secure access, you can now use Privileged Identity Management (PIM) to manage just-in-time access for members or owners of these groups. To manage an Azure AD role-assignable group as a privileged access group in Privileged Identity Management, you must bring it under management in PIM.

Identify groups to manage

You can create a role-assignable group in Azure AD as described in Create a role-assignable group in Azure Active Directory. You have be an owner of the group to bring it under management with Privileged Identity Management.

  1. Sign in to Azure AD with Privileged Role Administrator role permissions.

  2. Select Groups and then select the role-assignable group you want to manage in PIM. You can search and filter the list.

    find a role-assignable group to manage in PIM

  3. Open the group and select Privileged access (Preview).

    Open the Privileged Identity Management experience

  4. Start managing assignments in PIM.

    Manage assignments in Privileged Identity Management

Note

Once a privileged access group is managed, it can't be taken out of management. This prevents another resource administrator from removing Privileged Identity Management settings.

Next steps