Assign Azure AD roles in Privileged Identity Management

With Azure Active Directory (Azure AD), a Global administrator can make permanent Azure AD admin role assignments. These role assignments can be created using the Azure portal or using PowerShell commands.

The Azure AD Privileged Identity Management (PIM) service also allows Privileged role administrators to make permanent admin role assignments. Additionally, Privileged role administrators can make users eligible for Azure AD admin roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they're done.

Determine your version of PIM

Beginning in November 2019, the Azure AD roles portion of Privileged Identity Management is being updated to a new version that matches the experiences for Azure resource roles. This creates additional features as well as changes to the existing API. While the new version is being rolled out, which procedures that you follow in this article depend on version of Privileged Identity Management you currently have. Follow the steps in this section to determine which version of Privileged Identity Management you have. After you know your version of Privileged Identity Management, you can select the procedures in this article that match that version.

  1. Sign in to the Azure portal with a user who is in the Privileged role administrator role.

  2. Open Azure AD Privileged Identity Management. If you have a banner on the top of the overview page, follow the instructions in the New version tab of this article. Otherwise, follow the instructions in the Previous version tab.

    Azure AD roles new version

Assign a role

Follow these steps to make a user eligible for an Azure AD admin role.

  1. Sign in to Azure portal with a user that is a member of the Privileged role administrator role.

    For information about how to grant another administrator access to manage Privileged Identity Management, see Grant access to other administrators to manage Privileged Identity Management.

  2. Open Azure AD Privileged Identity Management.

  3. Select Azure AD roles.

  4. Select Roles to see the list of roles for Azure AD permissions.

    Azure AD roles

  5. Select Add member to open the New assignment page.

  6. Select Select a role to open the Select a role page.

    New assignment pane

  7. Select a role you want to assign and then click Select.

  8. Select a member to whom you want to assign to the role and then select Select.

  9. In the Assignment type list on the Membership settings pane, select Eligible or Active.

    • Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.

    • Active assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.

  10. If the assignment should be permanent (permanently eligible or permanently assigned), select the Permanently checkbox.

    Depending on the role settings, the check box might not appear or might be unmodifiable.

  11. To specify a specific assignment duration, clear the check box and modify the start and/or end date and time boxes. When finished, select Done.

    Memberships settings - date and time

  12. To create the new role assignment, select Add. A notification of the status is displayed.

    New assignment - Notification

Update or remove an existing role assignment

Follow these steps to update or remove an existing role assignment.

  1. Open Azure AD Privileged Identity Management.

  2. Select Azure resources.

  3. Select the resource you want to manage, such as a subscription or management group.

  4. Under Manage, select Roles to see the list of roles for Azure resources.

  5. Select the role that you want to update or remove.

  6. Find the role assignment on the Eligible roles or Active roles tabs.

    Update or remove role assignment

  7. Select Update or Remove to update or remove the role assignment.

    For information about extending a role assignment, see Extend or renew Azure resource roles in Privileged Identity Management.

Next steps