Approve or deny requests for Azure AD roles in Privileged Identity Management

With Azure Active Directory (Azure AD) Privileged Identity Management (PIM), you can configure roles to require approval for activation, and choose one or multiple users or groups as delegated approvers. Delegated approvers have 24 hours to approve requests. If a request is not approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window is not configurable.

Determine your version of PIM

Beginning in November 2019, the Azure AD roles portion of Privileged Identity Management is being updated to a new version that matches the experiences for Azure resource roles. This creates additional features as well as changes to the existing API. While the new version is being rolled out, which procedures that you follow in this article depend on version of Privileged Identity Management you currently have. Follow the steps in this section to determine which version of Privileged Identity Management you have. After you know your version of Privileged Identity Management, you can select the procedures in this article that match that version.

  1. Sign in to the Azure portal with a user who is in the Privileged role administrator role.

  2. Open Azure AD Privileged Identity Management. If you have a banner on the top of the overview page, follow the instructions in the New version tab of this article. Otherwise, follow the instructions in the Previous version tab.

    Azure AD roles new version

Follow the steps in this article to approve or deny requests for Azure AD roles.

View pending requests

As a delegated approver, you'll receive an email notification when an Azure AD role request is pending your approval. You can view these pending requests in Privileged Identity Management.

  1. Sign in to the Azure portal.

  2. Open Azure AD Privileged Identity Management.

  3. Click Azure AD roles.

  4. Click Approve requests.

    Azure AD roles - Approve requests

    You'll see a list of requests pending your approval.

Approve requests

  1. Select the requests you want to approve and then click Approve to open the Approve selected requests pane.

    Approve requests list with Approve option highlighted

  2. In the Approve reason box, type a reason.

    Approve selected requests pane with a approve reason

  3. Click Approve.

    The Status symbol will be updated with your approval.

    Approve selected requests pane after Approve button clicked

Deny requests

  1. Select the requests you want to deny and then click Deny to open the Deny selected requests pane.

    Approve requests list with Deny option highlighted

  2. In the Deny reason box, type a reason.

    Deny selected requests pane with a deny reason

  3. Click Deny.

    The Status symbol will be updated with your denial.

Next steps