PIM for Azure AD groups

I don’t know when this was released but I was looking for something like this today and realized it is now officially available.

What I want to do is have PIM (Privileged Identity Management) for Azure AD groups. So I can have users as eligible for a group and they can request access for it and be made a member automatically or via some approval process; and after a set period they will be removed from the group. My use case is to then tie this group to an App Registration that controls access to an Azure Function and this way I can have PIM for access to an Azure Function. Neat, huh! 😎

First off, create an Azure AD group and enable the assignment of Roles to it. This is only visible if you are a Global Admin (and maybe some other roles too I guess, didn’t explore too much).

Then go to the Group, and under Privileged Access enable it. This only appears if you have a P2 license.

Click the button to actually enable it.

Optional: I like to make some tweaks first so I’ll click on “Settings”.

I want to target group membership, so click on “Member”.

Then “Edit”, and make any changes. For example I changed the duration to 4 hours (from 8), removed the need for a justification, added requirement for MFA, and allowed permanent eligible assignment. I also added some users who I’d like notifications be sent to.

Once that is saved I can click on “Add assignments”. You can decide a “role” here for the assignment – and the options are “Member” or “Owner”. Selecting these will assign the person you choose to the group as either member or owner. The assignment can be “permanent” or “eligible” – typical PIM stuff.