Delegate access to Privileged Identity Management

To delegate access to Privileged Identity Management (PIM), a Global Administrator can assign other users to the Privileged Role Administrator role. By default, Security administrators and Security readers have read-only access to Privileged Identity Management. To grant access to Privileged Identity Management, the first user can assign others to the Privileged Role Administrator role. The Privileged Role Administrator role is required for managing Azure AD roles only. Privileged Role Administrator permissions aren't required to manage settings for Azure resources.

Note

Managing Privileged Identity Management requires Azure Multi-Factor Authentication. Because Microsoft accounts can't register for Azure Multi-Factor Authentication, a user who signs in with a Microsoft account can't access Privileged Identity Management.

Make sure there are always at least two users in a Privileged Role Administrator role, in case one user is locked out or their account is deleted.

Delegate access to manage PIM

  1. Sign in to the Azure portal.

  2. In Azure AD, open Privileged Identity Management.

  3. Select Azure AD roles.

  4. Select Roles.

    Privileged Identity Management Azure AD roles - Roles

  5. Select the Privileged Role Administrator role to open the members page.

    Privileged Role Administrator - Members

  6. Select Add member to open the Add managed members pane.

  7. Select Select members to open the Select members pane.

    Privileged Role Administrator - Select members

  8. Select a member and then click Select.

  9. Select OK to make the member eligible for the Privileged Role Administrator role.

    When you assign a new role to someone in Privileged Identity Management, they are automatically configured as Eligible to activate the role.

  10. To make the member permanent, select the user in the Privileged Role Administrator member list.

  11. Select More and then Make permanent to make the assignment permanent.

    Privileged Role Administrator - Make permanent

  12. Send the user a link to Start using Privileged Identity Management.

Remove access to manage PIM

Before you remove someone from the Privileged Role Administrator role, always make sure there will still be at least two users assigned to it.

  1. Sign in to the Azure portal.

  2. Open Azure AD Privileged Identity Management.

  3. Select Azure AD roles.

  4. Select Roles.

  5. Select the Privileged Role Administrator role to open the members page.

  6. Select the checkbox next to the user you want to remove and then select Remove member.

    Privileged Role Administrator - Remove member

  7. When you are asked to confirm that you want to remove the member from the role, select Yes.

Next steps