Part 1 – Azure Privileged Identity Management (PIM) for Groups

What is PIM for Groups?

PIM for Groups is part of the Azure Active Directory Privileged Identity Management. With PIM for Groups users can activate membership or ownership of an Azure AD security group or Microsoft 365 group. These groups can be used to assign access to for example Azure AD roles or Azure roles.

When using Azure PIM with PIM for Groups, you’re following the Microsoft best practices of ‘least privileged’ strategy.

How to start using PIM for Groups?

There are some prerequisites when starting with PIM for Groups.

  • You need Global Administrator, Privileged Role Administrator or the group Owner role
  • Every user who is eligible for membership in or ownership of a privileged access group must have an Azure AD Premium P2 license

When all the above prerequisites are in-place, we can start configuring PIM for Groups.

How to start using PIM for Groups?

Open the Azure Portal
Navigate to Azure Active Directory / Groups
Select New group

Choose the group type Security or Microsoft 365 (both are supported)
Give the new group a name and description
Set the Azure AD roles can be assigned to the group to enabled

For now we don’t select any roles, we’re going to configure this later
Select Create

Search for the new created group and open the properties

Navigate to Privileged access (preview) and select Enable Azure AD PIM for this group

After enabling PIM for Groups, we need to assign the Roles to this group.

Navigate to Assigned Roles and select Add Assignment

Select the right roles or multiple roles

On the Settings tab, you can select the assignment. Is this example we select Eligible. You can also choose to let the eligible assignment expire after a period of time, but for now we select Permanently eligible.

  • Active assignments – The configured roles are active for the members in this group, without using PIM
  • Eligible assignments – members of this group can activate this role using PIM for Groups

The next step is to create a Eligible Assignment. Navigate to Privileged access (Preview) and select Add assignment

On the Select role choose Member
Select the user in your Azure AD who needs this eligible permission

In the next part (Part 2) we are going to configure some settings of the eligible assignment, modify the default settings and login with the user and activate the eligible assignment through the user perspective.

Thanks for reading this blog! If you have any questions, please feel free to contact me.