Assign Azure AD roles in Privileged Identity Management

With Azure Active Directory (Azure AD), a Global administrator can make permanent Azure AD admin role assignments. These role assignments can be created using the Azure portal or using PowerShell commands.

The Azure AD Privileged Identity Management (PIM) service also allows Privileged role administrators to make permanent admin role assignments. Additionally, Privileged role administrators can make users eligible for Azure AD admin roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they're done.

Determine your version of PIM

Beginning in November 2019, the Azure AD roles portion of Privileged Identity Management is being updated to a new version that matches the experiences for Azure resource roles. This creates additional features as well as changes to the existing API. While the new version is being rolled out, which procedures that you follow in this article depend on version of Privileged Identity Management you currently have. Follow the steps in this section to determine which version of Privileged Identity Management you have. After you know your version of Privileged Identity Management, you can select the procedures in this article that match that version.

  1. Sign in to the Azure portal with a user who is in the Privileged role administrator role.
  2. Open Azure AD Privileged Identity Management. If you have a banner on the top of the overview page, follow the instructions in the New version tab of this article. Otherwise, follow the instructions in the Previous version tab.

Select Azure AD > Privileged Identity Management.

Assign a role

Follow these steps to make a user eligible for an Azure AD admin role.

  1. Sign in to Azure portal with a user that is a member of the Privileged role administrator role.

    For information about how to grant another administrator access to manage Privileged Identity Management, see Grant access to other administrators to manage Privileged Identity Management.

  2. Open Azure AD Privileged Identity Management.

  3. Select Azure AD roles.

  4. Select Roles to see the list of roles for Azure AD permissions.

    Azure AD roles

  5. Select Add assignments to open the Add assignments page.

  6. Select Select a role to open the Select a role page.

    New assignment pane

  7. Select a role you want to assign, select a member to whom you want to assign to the role, and then select Next.

  8. In the Assignment type list on the Membership settings pane, select Eligible or Active.

    • Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.

    • Active assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.

  9. To specify a specific assignment duration, add a start and end date and time boxes. When finished, select Assign to create the new role assignment.

    Memberships settings - date and time

  10. After the role is assigned, a assignment status notification is displayed.

    New assignment - Notification

Update or remove an existing role assignment

Follow these steps to update or remove an existing role assignment.

  1. Open Azure AD Privileged Identity Management.

  2. Select Azure AD roles.

  3. Select Roles to see the list of roles for Azure AD.

  4. Select the role that you want to update or remove.

  5. Find the role assignment on the Eligible roles or Active roles tabs.

    Update or remove role assignment

  6. Select Update or Remove to update or remove the role assignment.

Next steps