Assign Azure AD roles in Privileged Identity Management

With Azure Active Directory (Azure AD), a Global administrator can make permanent Azure AD admin role assignments. These role assignments can be created using the Azure portal or using PowerShell commands.

The Azure AD Privileged Identity Management (PIM) service also allows Privileged role administrators to make permanent admin role assignments. Additionally, Privileged role administrators can make users eligible for Azure AD admin roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they're done.

Determine your version of PIM

Beginning in November 2019, the Azure AD roles portion of Privileged Identity Management is being updated to a new version that matches the experiences for Azure resource roles. This creates additional features as well as changes to the existing API. While the new version is being rolled out, which procedures that you follow in this article depend on version of Privileged Identity Management you currently have. Follow the steps in this section to determine which version of Privileged Identity Management you have. After you know your version of Privileged Identity Management, you can select the procedures in this article that match that version.

  1. Sign in to the Azure portal with a user who is in the Privileged role administrator role.
  2. Open Azure AD Privileged Identity Management. If you have a banner on the top of the overview page, follow the instructions in the New version tab of this article. Otherwise, follow the instructions in the Previous version tab.

Select Azure AD > Privileged Identity Management.

Assign a role

Follow these steps to make a user eligible for an Azure AD admin role.

  1. Sign in to Azure portal with a user that is a member of the Privileged role administrator role.

    For information about how to grant another administrator access to manage Privileged Identity Management, see Grant access to other administrators to manage Privileged Identity Management.

  2. Open Azure AD Privileged Identity Management.

  3. Select Azure AD roles.

  4. Select Roles to see the list of roles for Azure AD permissions.

    Screenshot of the "Roles" page with the "Add assignments" action selected.

  5. Select Add assignments to open the Add assignments page.

  6. Select Select a role to open the Select a role page.

    New assignment pane

  7. Select a role you want to assign, select a member to whom you want to assign to the role, and then select Next.

  8. In the Assignment type list on the Membership settings pane, select Eligible or Active.

    • Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.

    • Active assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.

  9. To specify a specific assignment duration, add a start and end date and time boxes. When finished, select Assign to create the new role assignment.

    Memberships settings - date and time

  10. After the role is assigned, a assignment status notification is displayed.

    New assignment - Notification

Assign a role with restricted scope

For certain roles, the scope of the granted permissions can be restricted to a single admin unit, service principal, or application. This procedure is an example if assigning a role that has the scope of an administrative unit. For a list of roles that support scope via administrative unit, see Assign scoped roles to an administrative unit. This feature is currently being rolled out to Azure AD organizations.

  1. Sign in to the Azure Active Directory admin center with Privileged Role Administrator permissions.

  2. Select Azure Active Directory > Roles and administrators.

  3. Select the User Administrator.

    The Add assignment command is available when you open a role in the portal

  4. ​Select Add assignments.

    When a role supports scope, you can select a scope

  5. On the Add assignments page, you can:

    • Select a user or group to be assigned to the role
    • Select the role scope (in this case, administrative units)
    • Select an administrative unit for the scope

For more information about creating administrative units, see Add and remove administrative units.

Update or remove an existing role assignment

Follow these steps to update or remove an existing role assignment.

  1. Open Azure AD Privileged Identity Management.

  2. Select Azure AD roles.

  3. Select Roles to see the list of roles for Azure AD.

  4. Select the role that you want to update or remove.

  5. Find the role assignment on the Eligible roles or Active roles tabs.

    Update or remove role assignment

  6. Select Update or Remove to update or remove the role assignment.

Next steps