PIM for Azure AD groups

I don’t know when this was released but I was looking for something like this today and realized it is now officially available.

What I want to do is have PIM (Privileged Identity Management) for Azure AD groups. So I can have users as eligible for a group and they can request access for it and be made a member automatically or via some approval process; and after a set period they will be removed from the group. My use case is to then tie this group to an App Registration that controls access to an Azure Function and this way I can have PIM for access to an Azure Function. Neat, huh! 😎

First off, create an Azure AD group and enable the assignment of Roles to it. This is only visible if you are a Global Admin (and maybe some other roles too I guess, didn’t explore too much).

Then go to the Group, and under Privileged Access enable it. This only appears if you have a P2 license.

Click the button to actually enable it.

Optional: I like to make some tweaks first so I’ll click on “Settings”.

I want to target group membership, so click on “Member”.

Then “Edit”, and make any changes. For example I changed the duration to 4 hours (from 8), removed the need for a justification, added requirement for MFA, and allowed permanent eligible assignment. I also added some users who I’d like notifications be sent to.

Once that is saved I can click on “Add assignments”. You can decide a “role” here for the assignment – and the options are “Member” or “Owner”. Selecting these will assign the person you choose to the group as either member or owner. The assignment can be “permanent” or “eligible” – typical PIM stuff.

Thus I have:

Now if Adele logs in she can request group membership. But first, here’s the group as it stands:

Nobody. Now Adele goes to the Azure Portal > PIM > Privileged access groups, she can find the eligible assignment there.

She can click into the group, or click “Activate role”.

Here she did “Activate role” and activated the group she is eligible for.

As you can see the duration is 4 hours and justification is optional (due to my changes above).

She activates it, and now the group has her as a member:

The assignment is only valid for 4 hours after which she’ll be removed.

I find this a very cool feature! PIM with the Azure AD and Azure roles was nice, but this takes it to the next level in my opinion. 👏🏼 😍