Part 2 – Azure Privileged Identity Management (PIM) for Groups

In my previous post I explained what PIM for Groups is, what it takes to get started with PIM for Groups and how the configuration works. In this post, we are going to look at the different settings that are possible for activating PIM for Groups.

Sign in to the Azure portal and navigate to Azure Active Directory and select Groups. Find the right group, in this example the previously created group ‘PIM-for-Groups-example-group’. Select Privileged Access (Preview), then Settings.

Select Member and configure the desired settings here.

The configuration is divided into 2 parts. The upper part the properties for activation, the lower part for logging and auditing. To change settings, select Edit.

It is important to think carefully about how long a role may be activated. In this example, we opted for 8 hours. As mentioned, Azure MFA is required. New in preview is Azure AD Conditional Access authentication context, more on this later in a new blog.

It is a choice to have a short description and ticket information entered by the users during activation. Later in this blog post you can see the result of this.

Note!  It is strongly recommended to have a request for approval sent to a person or several people within the organization. Think, for example, of a security officer. Only if approval is given, the activation will be carried out.

For now, the configuration is ready and we can see what steps a user needs to take to activate his or her roles.

Let’s sign-in with our admin user

Sign in to the Azure portal with the user wo wants to activate PIM for Groups and navigate to Azure AD Privileged Identity Management.  Select  Groups (Preview) and  find the appropriate group that has PIM for Groups enabled and that the user is a member of ‘PIM-for-Groups-example-group’.

To activate, select Activate.

Here you can see that the user must apply additional authentication, as we have configured on the PIM group.

After applying MFA, in my case with number matching and filling in a ticket number and short description, PIM is activated in the background. If all steps have been completed successfully, the browser will be automatically refreshed and PIM will be active.

We can check the status of the PIM activation by navigating to Azure Privileged Identity Management, then Group (Preview) and select Active Acssignments. Here you can see that the PIM for groups is active for the duration as specified in the configuration.

If you have finished performing work earlier, the PIM activation can be deactivated manually. This can be done by selecting Deactivate .

If you search for the relevant user within the Azure Active Directory and then look in Assigned Roles, the relevant roles are also visible.


In this two-part blog we have seen what PIM for Groups is, how we can start with it, what is involved in configuring, what settings are recommended and what steps a user must perform when activating a PIM group.

Thanks for reading this blog. If you have any questions or want to know more about PIM for Groups, feel free to send me a message. Also take a look at the blog of my colleague Mike van den Brandt, Modern Workplace Consultant at Ictivity. He is involved in making the world digitally safer on a daily basis!!