Assign Azure AD roles in Privileged Identity Management

With Azure Active Directory (Azure AD), a Global administrator can make permanent Azure AD admin role assignments. These role assignments can be created using the Azure portal or using PowerShell commands.

The Azure AD Privileged Identity Management (PIM) service also allows Privileged role administrators to make permanent admin role assignments. Additionally, Privileged role administrators can make users eligible for Azure AD admin roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they're done.

Privileged Identity Management support both built-in and custom Azure AD roles. For more information on Azure AD custom roles, see Role-based access control in Azure Active Directory.

Assign a role

Follow these steps to make a user eligible for an Azure AD admin role.

  1. Sign in to Azure portal with a user that is a member of the Privileged role administrator role.

  2. Open Azure AD Privileged Identity Management.

  3. Select Azure AD roles.

  4. Select Roles to see the list of roles for Azure AD permissions.

    Screenshot of the "Roles" page with the "Add assignments" action selected.

  5. Select Add assignments to open the Add assignments page.

  6. Select Select a role to open the Select a role page.

    New assignment pane

  7. Select a role you want to assign, select a member to whom you want to assign to the role, and then select Next.

  8. In the Assignment type list on the Membership settings pane, select Eligible or Active.

    • Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.

    • Active assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.

  9. To specify a specific assignment duration, add a start and end date and time boxes. When finished, select Assign to create the new role assignment.

    Memberships settings - date and time

  10. After the role is assigned, a assignment status notification is displayed.

    New assignment - Notification

Assign a role with restricted scope

For certain roles, the scope of the granted permissions can be restricted to a single admin unit, service principal, or application. This procedure is an example if assigning a role that has the scope of an administrative unit. For a list of roles that support scope via administrative unit, see Assign scoped roles to an administrative unit. This feature is currently being rolled out to Azure AD organizations.

  1. Sign in to the Azure Active Directory admin center with Privileged Role Administrator permissions.

  2. Select Azure Active Directory > Roles and administrators.

  3. Select the User Administrator.

    The Add assignment command is available when you open a role in the portal

  4. ​Select Add assignments.

    When a role supports scope, you can select a scope

  5. On the Add assignments page, you can:

    • Select a user or group to be assigned to the role
    • Select the role scope (in this case, administrative units)
    • Select an administrative unit for the scope

For more information about creating administrative units, see Add and remove administrative units.

Update or remove an existing role assignment

Follow these steps to update or remove an existing role assignment. Azure AD P2 licensed customers only: Don't assign a group as Active to a role through both Azure AD and Privileged Identity Management (PIM). For a detailed explanation, see Known issues.

  1. Open Azure AD Privileged Identity Management.

  2. Select Azure AD roles.

  3. Select Roles to see the list of roles for Azure AD.

  4. Select the role that you want to update or remove.

  5. Find the role assignment on the Eligible roles or Active roles tabs.

    Update or remove role assignment

  6. Select Update or Remove to update or remove the role assignment.

Next steps