Configure Azure AD role settings in Privileged Identity Management

A Privileged role administrator can customize Privileged Identity Management (PIM) in their Azure Active Directory (Azure AD) organization, including changing the experience for a user who is activating an eligible role assignment.

Determine your version of PIM

Beginning in November 2019, the Azure AD roles portion of Privileged Identity Management is being updated to a new version that matches the experiences for Azure resource roles. This creates additional features as well as changes to the existing API. While the new version is being rolled out, which procedures that you follow in this article depend on version of Privileged Identity Management you currently have. Follow the steps in this section to determine which version of Privileged Identity Management you have. After you know your version of Privileged Identity Management, you can select the procedures in this article that match that version.

  1. Sign in to the Azure portal with a user who is in the Privileged role administrator role.

  2. Open Azure AD Privileged Identity Management. If you have a banner on the top of the overview page, follow the instructions in the New version tab of this article. Otherwise, follow the instructions in the Previous version tab.

    Azure AD roles new version

Follow the steps in this article to approve or deny requests for Azure AD roles.

Open role settings

Follow these steps to open the settings for an Azure AD role.

  1. Open Azure AD Privileged Identity Management.

  2. Select Azure AD roles.

  3. Select Settings.

    Azure AD roles - Settings

  4. Select Roles.

  5. Select the role whose settings you want to configure.

    Azure AD roles - Settings Roles

    On the settings page for each role, there are several settings you can configure. These settings only affect users who are eligible assignments, not permanent assignments.

Activations

Use the Activations slider to set the maximum time, in hours, that a role stays active before it expires. This value can be between 1 and 72 hours.

Notifications

Use the Notifications switch to specify whether administrators will receive email notifications when roles are activated. This notification can be useful for detecting unauthorized or illegitimate activations.

When set to Enable, notifications are sent to:

  • Privileged role administrator
  • Security administrator
  • Global administrator

For more information, see Email notifications in Privileged Identity Management.

Incident/Request ticket

Use the Incident/Request ticket switch to require eligible administrators to include a ticket number when they activate their role. This practice can make role access audits more effective.

Multi-Factor Authentication

Use the Multi-Factor Authentication switch to specify whether to require users to verify their identity with MFA before they can activate their roles. They only have to verify their identity once per session, not every time they activate a role. There are two tips to keep in mind when you enable MFA:

  • Users who have Microsoft accounts for their email addresses (typically @outlook.com, but not always) cannot register for Azure Multi-Factor Authentication. If you want to assign roles to users with Microsoft accounts, you should either make them permanent admins or disable multi-factor authentication for that role.

  • You cannot disable Azure Multi-Factor Authentication for highly privileged roles for Azure AD and Office 365. This safety feature helps protect the following roles:

    • Azure Information Protection administrator
    • Billing administrator
    • Cloud application administrator
    • Compliance administrator
    • Conditional access administrator
    • Dynamics 365 administrator
    • Customer LockBox access approver
    • Directory writers
    • Exchange administrator
    • Global administrator
    • Intune administrator
    • Power BI administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • Skype for Business administrator
    • User administrator

For more information, see Multi-factor authentication and Privileged Identity Management.

Require approval

If you want to delegate the required approval to activate a role, follow these steps.

  1. Set the Require approval switch to Enabled. The pane expands with options to select approvers.

    Azure AD roles - Settings - Require approval

    If you don't specify any approvers, the Privileged role administrator becomes the default approver and is then required to approve all activation requests for this role.

  2. To add approvers, click Select approvers.

    Azure AD roles - Settings - Require approval

  3. Select one or more approvers in addition to the Privileged role administrator and then click Select. You can select users or groups. We recommend that you add at least two approvers. Even if you add yourself as an approver, you can't self-approve a role activation. Your selections will appear in the list of selected approvers.

  4. After you have specified your all your role settings, select Save to save your changes.

Next steps