Configure Azure AD role settings in Privileged Identity Management

A Privileged role administrator can customize Privileged Identity Management (PIM) in their Azure Active Directory (Azure AD) organization, including changing the experience for a user who is activating an eligible role assignment.

Determine your version of PIM

Beginning in November 2019, the Azure AD roles portion of Privileged Identity Management is being updated to a new version that matches the experiences for Azure resource roles. This creates additional features as well as changes to the existing API. While the new version is being rolled out, which procedures that you follow in this article depend on version of Privileged Identity Management you currently have. Follow the steps in this section to determine which version of Privileged Identity Management you have. After you know your version of Privileged Identity Management, you can select the procedures in this article that match that version.

  1. Sign in to the Azure portal with a user who is in the Privileged role administrator role.
  2. Open Azure AD Privileged Identity Management. If you have a banner on the top of the overview page, follow the instructions in the New version tab of this article. Otherwise, follow the instructions in the Previous version tab.

Select Azure AD > Privileged Identity Management.

Follow the steps in this article to approve or deny requests for Azure AD roles.

Open role settings

Follow these steps to open the settings for an Azure AD role.

  1. Sign in to Azure portal with a user in the Privileged Role Administrator role. gt

  2. Open Azure AD Privileged Identity Management > Azure AD roles > Role settings.

    Role settings page listing Azure AD roles

  3. Select the role whose settings you want to configure.

    Role setting details page listing several assignment and activation settings

  4. Select Edit to open the Role settings page.

    Edit role settings page with options to update assignment and activation settings

    On the Role setting pane for each role, there are several settings you can configure.

Assignment duration

You can choose from two assignment duration options for each assignment type (eligible and active) when you configure settings for a role. These options become the default maximum duration when a user is assigned to the role in Privileged Identity Management.

You can choose one of these eligible assignment duration options:

Allow permanent eligible assignment Global admins and Privileged role admins can assign permanent eligible assignment.
Expire eligible assignment after Global admins and Privileged role admins can require that all eligible assignments have a specified start and end date.

And, you can choose one of these active assignment duration options:

Allow permanent active assignment Global admins and Privileged role admins can assign permanent active assignment.
Expire active assignment after Global admins and Privileged role admins can require that all active assignments have a specified start and end date.

Note

All assignments that have a specified end date can be renewed by Global admins and Privileged role admins. Also, users can initiate self-service requests to extend or renew role assignments.

Require multi-factor authentication

Privileged Identity Management provides optional enforcement of Azure Multi-Factor Authentication for two distinct scenarios.

Require Multi-Factor Authentication on active assignment

In some cases, you might want to assign a user to a role for a short duration (one day, for example). In this case, the assigned users don't need to request activation. In this scenario, Privileged Identity Management can't enforce multi-factor authentication when the user uses their role assignment because they are already active in the role from the time that it is assigned.

To ensure that the administrator fulfilling the assignment is who they say they are, you can enforce multi-factor authentication on active assignment by checking the Require Multi-Factor Authentication on active assignment box.

Require Multi-Factor Authentication on activation

You can require users who are eligible for a role to prove who they are using Azure Multi-Factor Authentication before they can activate. Multi-factor authentication ensures that the user is who they say they are with reasonable certainty. Enforcing this option protects critical resources in situations when the user account might have been compromised.

To require multi-factor authentication before activation, check the Require Multi-Factor Authentication on activation box in the Assignment tab of Edit role setting.

For more information, see Multi-factor authentication and Privileged Identity Management.

Activation maximum duration

Use the Activation maximum duration slider to set the maximum time, in hours, that a role stays active before it expires. This value can be from one to 24 hours.

Require justification

You can require that users enter a business justification when they activate. To require justification, check the Require justification on active assignment box or the Require justification on activation box.

Require approval to activate

If setting multiple approvers, approval completes as soon as one of them approves or denies. You can't require approval from at least two users. To require approval to activate a role, follow these steps.

  1. Check the Require approval to activate check box.

  2. Select Select approvers.

    Select a user or group pane to select approvers

  3. Select at least one user and then click Select. You must select at least one approver. There are no default approvers.

    Your selections will appear in the list of selected approvers.

  4. Once you have specified your all your role settings, select Update to save your changes.

Next steps