Assign Azure AD roles in Privileged Identity Management

With Azure Active Directory (Azure AD), a Global administrator can make permanent Azure AD admin role assignments. These role assignments can be created using the Azure portal or using PowerShell commands.

The Azure AD Privileged Identity Management (PIM) service also allows Privileged Role Administrators to make permanent admin role assignments. Additionally, Privileged Role Administrators can make users eligible for Azure AD admin roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they're done.

Determine your version of PIM

Beginning in November 2019, the Azure AD roles portion of Privileged Identity Management is being updated to a new version that matches the experiences for Azure resource roles. This creates additional features as well as changes to the existing API. While the new version is being rolled out, which procedures that you follow in this article depend on version of Privileged Identity Management you currently have. Follow the steps in this section to determine which version of Privileged Identity Management you have. After you know your version of Privileged Identity Management, you can select the procedures in this article that match that version.

  1. Sign in to the Azure portal with a user who is in the Privileged role administrator role.

  2. Open Azure AD Privileged Identity Management. If you have a banner on the top of the overview page, follow the instructions in the New version tab of this article. Otherwise, follow the instructions in the Previous version tab.

    Azure AD roles new version

Make a user eligible for a role

Follow these steps to make a user eligible for an Azure AD admin role.

  1. Select Roles or Members.

    Azure AD roles

  2. Select Add member to open Add managed members.

  3. Select Select a role, select a role you want to manage, and then select Select.

    Select a role

  4. Select Select members, select the users you want to assign to the role, and then select Select.

    Select a role

  5. In Add managed members, select OK to add the user to the role.

  6. In the list of roles, select the role you just assigned to see the list of members.

    When the role is assigned, the user you selected will appear in the members list as Eligible for the role.

    User eligible for a role

  7. Now that the user is eligible for the role, let them know that they can activate it according to the instructions in Activate my Azure AD roles in Privileged Identity Management.

    Eligible administrators are asked to register for Azure Multi-Factor Authentication (MFA) during activation. If a user cannot register for MFA, or is using a Microsoft account (such as @outlook.com), you need to make them permanent in all their roles.

Make a role assignment permanent

By default, new users are only eligible for an Azure AD admin role. Follow these steps if you want to make a role assignment permanent.

  1. Open Azure AD Privileged Identity Management.

  2. Select Azure AD roles.

  3. Select Members.

    List of members

  4. Select an Eligible role that you want to make permanent.

  5. Select More and then select Make perm.

    Make role assignment permanent

    The role is now listed as permanent.

    List of members with permanent change

Remove a user from a role

You can remove users from role assignments, but make sure there is always at least one user who is a permanent Global administrator. If you're not sure which users still need their role assignments, you can start an access review for the role.

Follow these steps to remove a specific user from an Azure AD admin role.

  1. Open Azure AD Privileged Identity Management.

  2. Select Azure AD roles.

  3. Select Members.

    List of members

  4. Select a role assignment you want to remove.

  5. Select More and then select Remove.

    Remove a role

  6. In the message that asks you to confirm, select Yes.

    Remove a role

    The role assignment is removed.

Authorization error when assigning roles

If you recently enabled Privileged Identity Management for a subscription and you get an authorization error when you try to make a user eligible for an Azure AD admin role, it might be because the MS-PIM service principal does not yet have the appropriate permissions. The MS-PIM service principal must have the User Access Administrator role to assign roles to others. Instead of waiting until MS-PIM is assigned the User Access Administrator role, you can assign it manually.

Follow these steps to assign the User Access Administrator role to the MS-PIM service principal for a subscription.

  1. Sign into the Azure portal as a Global Administrator.

  2. Choose All services and then Subscriptions.

  3. Choose your subscription.

  4. Choose Access control (IAM).

  5. Choose Role assignments to see the current list of role assignments at the subscription scope.

    Access control (IAM) blade for a subscription

  6. Check whether the MS-PIM service principal is assigned the User Access Administrator role.

  7. If not, choose Add role assignment to open the Add role assignment pane.

  8. In the Role drop-down list, select the User Access Administrator role.

  9. In the Select list, find and select the MS-PIM service principal.

    Add role assignment pane - Add permissions for MS-PIM service principal

  10. Choose Save to assign the role.

    After a few moments, the MS-PIM service principal is assigned the User Access Administrator role at the subscription scope.

    Access control page showing User access admin role assignment for the MS-PIM service principal

Next steps