Assign Azure AD roles in Privileged Identity Management

With Azure Active Directory (Azure AD), a Global administrator can make permanent Azure AD admin role assignments. These role assignments can be created using the Azure portal or using PowerShell commands.

The Azure AD Privileged Identity Management (PIM) service also allows Privileged Role Administrators to make permanent admin role assignments. Additionally, Privileged Role Administrators can make users eligible for Azure AD admin roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they're done.

Make a user eligible for a role

Follow these steps to make a user eligible for an Azure AD admin role.

  1. Sign in to Azure portal with a user that is a member of the Privileged Role Administrator role.

    For information about how to grant another administrator access to manage Privileged Identity Management, see Grant access to other administrators to manage Privileged Identity Management.

  2. Open Azure AD Privileged Identity Management.

    If you haven't started Privileged Identity Management in the Azure portal yet, go to Start using Privileged Identity Management.

  3. Select Azure AD roles.

  4. Select Roles or Members.

    Azure AD roles with Roles and Members menu options highlighted

  5. Select Add member to open Add managed members.

  6. Select Select a role, select a role you want to manage, and then select Select.

    Select a role pane listing Azure AD roles

  7. Select Select members, select the users you want to assign to the role, and then select Select.

    Select members pane where you can select a user

  8. In Add managed members, select OK to add the user to the role.

  9. In the list of roles, select the role you just assigned to see the list of members.

    When the role is assigned, the user you selected will appear in the members list as Eligible for the role.

    Members of a role are listed along with their activation state

  10. Now that the user is eligible for the role, let them know that they can activate it according to the instructions in Activate my Azure AD roles in Privileged Identity Management.

    Eligible administrators are asked to register for Azure Multi-Factor Authentication (MFA) during activation. If a user cannot register for MFA, or is using a Microsoft account (usually @outlook.com), you need to make them permanent in all their roles.

Make a role assignment permanent

By default, new users are only Eligible for an Azure AD admin role. Follow these steps if you want to make a role assignment permanent.

  1. Open Azure AD Privileged Identity Management.

  2. Select Azure AD roles.

  3. Select Members.

    Azure AD roles - Members list showing role and activation state

  4. Select an Eligible role that you want to make permanent.

  5. Select More and then select Make perm.

    Pane listing a user that is eligible for a role with the More menu options open

    The role is now listed as permanent.

    Members list showing role and activation state that is now permanent

Remove a user from a role

You can remove users from role assignments, but make sure there is always at least one user who is a permanent Global Administrator. If you're not sure which users still need their role assignments, you can start an access review for the role.

Follow these steps to remove a specific user from an Azure AD admin role.

  1. Open Azure AD Privileged Identity Management.

  2. Select Azure AD roles.

  3. Select Members.

    Azure AD roles - Members list showing role and activation stat

  4. Select the role assignment you want to remove.

  5. Select More and then Remove.

    Pane listing a user that has a permanent role with the More menu options open

  6. When you're asked to confirm the action, select Yes.

    Message asking if you want to remove member from role

    The role assignment is removed.

Authorization error when assigning roles

Scenario: As an active owner or user access administrator for an Azure resource, you are able to see your resource inside Privileged Identity Management but can't perform any actions such as making an eligible assignment or viewing a list of role assignments from the resource overview page. Any of these actions results in an authorization error.

To assign roles, the MS-PIM service principal must be assigned the User Access Administrator role in Azure role-based access control for Azure resource access (as opposed to Azure AD administration roles). Instead of waiting until MS-PIM is assigned the User Access Administrator role, you can assign it manually.

The following steps assign the User Access Administrator role to the MS-PIM service principal for a subscription.

  1. Sign into the Azure portal as a Global administrator in your Azure AD organization.

  2. Choose All services and then Subscriptions.

  3. Choose your subscription.

  4. Choose Access control (IAM).

  5. Choose Role assignments to see the current list of role assignments at the subscription scope.

    Access control (IAM) blade for a subscription

  6. Check whether the MS-PIM service principal is assigned the User Access Administrator role.

  7. If not, choose Add role assignment to open the Add role assignment pane.

  8. In the Role drop-down list, select the User Access Administrator role.

  9. In the Select list, find and select the MS-PIM service principal.

    Add role assignment pane - Add permissions for MS-PIM service principal

  10. Choose Save to assign the role.

    After a few moments, the MS-PIM service principal is assigned the User Access Administrator role at the subscription scope.

    Access control (IAM) blade showing User Access Administrator role assignment for MS-PIM

Next steps