Blog Post

ITOps Talk Blog
3 MIN READ

Step-by-Step Guide : Azure AD PIM for Groups

dishanfrancis's avatar
dishanfrancis
Icon for Microsoft rankMicrosoft
Aug 01, 2023

Azure AD Privileged Identity Management (PIM) offers organizations a comprehensive solution for managing, monitoring, and auditing access to their Azure resources. Among its key functionalities, Azure AD PIM allows the implementation of just-in-time (JIT) access to both Azure AD and Azure resources. Sometime ago Microsoft released preview feature that enable the usage of Azure AD PIM for Azure AD role-assignable groups.

 

Since then, this feature has been fully released (General Availability) with some noteworthy enhancements. Previously, utilizing Azure AD PIM with groups required them to be Azure AD role-assignable groups. However, the functionality has now been extended to encompass any Azure AD security group and any Microsoft 365 group, irrespective of whether they are role-assignable groups or not. In this blog post, I will be providing a demonstration of how to enable Azure AD PIM for an Azure AD security group.

 

Let's discuss the key points about Azure AD Privileged Identity Management (PIM) for groups:

 

  • Azure AD PIM for groups has certain limitations: It does not support dynamic groups or groups synchronized from on-premises directories.
  • Azure AD role-assignable groups have a maximum limit of 500 groups. This constraint is imposed by Azure AD itself and not by Azure AD PIM. However, for security groups, this 500 group limit does not apply.
  • Azure AD PIM for groups fully supports nested groups. If a group is eligible for membership in another group, the members of the nested group can activate their membership in the parent group through Azure AD PIM.

Let’s go ahead and see how this actually works.

In my demo environment, I already have an Azure AD security group called “RebelTest Group A” and it doesn’t have any members assigned.

 

Let's explore how to enable Azure AD Privileged Identity Management (PIM) for a specific group and understand its functionalities through a step-by-step process:

 

Enabling Azure AD PIM for a Group

 

  1. Start by logging in to the Azure portal at https://portal.azure.com/ using Global Administrator or Privileged Role Administrator credentials.
  2. Navigate to Azure AD Privileged Identity Management and select Groups.

     

  3. Select Discover groups to proceed.

     

  4. In the new page, search for the desired security group and select it from the list. Then, select Manage Groups.

     

  5. Confirm the onboarding of the selected group(s) to Azure AD PIM by selecting OK when prompted.
  6. Return to the Azure AD PIM groups page to observe the newly onboarded group.

     

  7. To add a user as an eligible member to the group, select the group name, followed by Assignments in the group page.

     

  8. Select + Add assignment to initiate the configuration process.

     

  9. In the configuration window, select Member for the role, then visit the link under Select member(s) to choose users for the role. Then select Next to proceed.

     

  10. On the settings page, keep the assignment type as Eligible and set the allowed eligible duration (e.g., 1 year). Once the settings are confirmed, Select Assign to complete the user assignment process.

     

  11. Next, configure the approval process for the role by selecting Settings in the assignment page.

     

  12. From the Role list, select Member to access the PIM settings for the role. Then select Edit to modify the default settings.

     

  13. In the role settings page, select Require approval to activate and specify the user as the approver. Then select Update to finalize the configuration. 

This complete the Azure AD PIM for group configuration. Let’s see how its really works for the group members and approvers.

 

Testing

 

  1. To test Azure AD PIM as an eligible member, log in to the Azure portal using Isaiah Langer's credentials (IsaiahL@yjdqn.onmicrosoft.com).
  2. Navigate to Azure AD Privileged Identity Management and select Groups.
  3. From the list, select "RebelTest Group A" security group.

     

  4. Under My roles, locate the eligible member role for the security group and select Activate.

     

  5. In the role activation window, provide justification for the role request and select Activate.

     

  6. After the request, the approver receives an email notification.

     

  7. Log in to the Azure portal as the approver, go to Azure AD Privileged Identity Management, and select Approve requests.

     

  8. Select Groups and find the role activation request from Isaiah Langer in the list. Then select the user and click Approve.

     

  9. In the new page, provide justification and select Confirm.
  10. The process is now complete. When viewing the "RebelTest Group A" security group, Isaiah Langer will be visible as a member.

     

  11. Isaiah can also check his role activation status, which will display his account as under active assignment, along with the end time.

     

By following these steps, you should now have a better understanding of how Azure AD PIM for groups operates.

Updated Aug 01, 2023
Version 1.0
azure
Azure AD
Cybersecurity
Dishan Francis
Identity
JIT
Privileged Identity Management (PIM)
security
  • PHancke's avatar
    PHancke
    Brass Contributor
    Aug 02, 2023

    Hi dishanfrancis, what is your take on using groups for Azure AD role assignments considering PIM access reviews do not expand group membership. Do you assign Azure AD roles directly to users or use role-assignable groups with Azure AD access reviews?

  • JonKilner's avatar
    JonKilner
    Brass Contributor
    Aug 07, 2023

    dishanfrancis If we went with group based access in PIM, I'm thinking that we'd need to use privilege access groups to prevent users adding themselves into the PIM enabled RBAC role. Would that be correct.

  • dishanfrancis's avatar
    dishanfrancis
    Icon for Microsoft rankMicrosoft
    Aug 07, 2023

    JonKilner yes that's correct, you can make active assignments of users to the group, and then assign the group to a role as eligible for activation

  • iamrufus's avatar
    iamrufus
    Copper Contributor
    Nov 24, 2023

    dishanfrancis The problem with the above reply is that if you set the time assignment to be a member of the PIM group to be one 1hr and then add an azure role such as User Administrator as eligible against that group to activate with a time assignment of 2hrs once the member is taken out of the PIM group after the allocated 1hr they still have access to the User Administrator role for an additional hour. 

     

    Seems like a shortfall to me, might as well mark the azure roles required as active on the PIM group itself that way the assignment time will marry up for both the group and role

  • JonKilner's avatar
    JonKilner
    Brass Contributor
    Mar 11, 2024

    Hi dishanfrancis iamrufus ,

     

    We've been using PIM for a number of months and are now looking to implement PIM for Groups to help manage access to Global Admins (we have a specific use case that PIM for Groups will resolve). 

     

    Our plan is to create a group and configure the group with active Global Admin assignment. We'll then use PIM for Groups to make members of the group as eligible. The idea is in order for users who are in the group to gain the Global Admin role they'll first need to have approved their membership of the PIM controlled group.

     

    All this sounds good. However, reading over the MS Learn page - Privileged Identity Management (PIM) for Groups - Microsoft Entra ID Governance | Microsoft Learn - it states ' If you choose to make active assignment of a group to a role and assign users to be eligible to group membership instead, it may take significant time to have all permissions of the role activated and ready to use.'

     

    Can you, or anyone, explain what is meant by 'significant time' and if this is going to impact use of PIM for Groups to manage access to Entra roles.

  • katakat2000's avatar
    katakat2000
    Copper Contributor
    Oct 02, 2024

    hey great work here, I have been trying to do all of this through cli of any sort. any suggestions?