Assign Azure resource roles in Privileged Identity Management

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) can manage the built-in Azure resource roles, as well as custom roles, including (but not limited to):

  • Owner
  • User Access Administrator
  • Contributor
  • Security Admin
  • Security Manager

Note

Users or members of a group assigned to the Owner or User Access Administrator subscription roles, and Azure AD Global administrators that enable subscription management in Azure AD have Resource administrator permissions by default. These administrators can assign roles, configure role settings, and review access using Privileged Identity Management for Azure resources. A user can't manage Privileged Identity Management for Resources without Resource administrator permissions. View the list of Azure built-in roles.

Assign a role

Follow these steps to make a user eligible for an Azure resource role.

  1. Sign in to Azure portal with a user that is a member of the Privileged role administrator role.

    For information about how to grant another administrator access to manage Privileged Identity Management, see Grant access to other administrators to manage Privileged Identity Management.

  2. Open Azure AD Privileged Identity Management.

  3. Select Azure resources.

  4. Use the resource filter to find the managed resources you're looking for.

    List of Azure resources to manage

  5. Select the resource that you want to manage to open the resource overview page.

  6. Under Manage, select Roles to see the list of roles for Azure resources.

    Azure resources roles

  7. Select Add assignments to open the Add assignments pane.

  8. Select Select a role to open the Select a role page.

    New assignment pane

  9. Select a role you want to assign and then click Select.

    The Select a member or group pane opens.

  10. Select a member or group you want to assign to the role and then click Select.

    Select a member or group pane

  11. On the Settings tab, in the Assignment type list, select Eligible or Active.

    Memberships settings pane

    Privileged Identity Management for Azure resources provides two distinct assignment types:

    • Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.

    • Active assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.

  12. To specify a specific assignment duration, change the start and end dates and times.

  13. When finished, select Assign.

  14. After the new role assignment is created, a status notification is displayed.

    New assignment - Notification

Update or remove an existing role assignment

Follow these steps to update or remove an existing role assignment.

  1. Open Azure AD Privileged Identity Management.

  2. Select Azure resources.

  3. Select the resource you want to manage to open its overview page.

  4. Under Manage, select Roles to see the list of roles for Azure resources.

    Azure resource roles - Select role

  5. Select the role that you want to update or remove.

  6. Find the role assignment on the Eligible roles or Active roles tabs.

    Update or remove role assignment

  7. Select Update or Remove to update or remove the role assignment.

    For information about extending a role assignment, see Extend or renew Azure resource roles in Privileged Identity Management.

Next steps