Forum Discussion
Need Method to Allow PIM Group Elevation Without Granting Full Access to Azure Portal
I’m currently managing Conditional Access policies in our tenant to enforce strict access to the Azure portal. Specifically, we've restricted access to azure unless the user is coming from an approved IP range. This is working as expected.
However, we're using Privileged Identity Management (PIM) for just-in-time (JIT) group membership activation. I'd like users to be able to elevate themselves to security groups configured via PIM without needing full access to the Azure portal.
My question is:
Is there a way to allow users to activate PIM group assignments (JIT group membership or ownership) without providing full access to azure?
Alternatively:
Are there specific endpoints or app IDs that can be excluded in Conditional Access to allow only PIM group activation?
Has anyone found a workaround, such as scripting or automating the group activation, that maintains a strong security posture?
I’d appreciate any recommendations, insights, or proven solutions that let us support PIM group workflows without opening up full Azure portal access.
Thanks in advance!
2 Replies
Not very easy, but you would use access packages in Entra ID, allowing users to request (with auto approve) access to an access package that joins the users to a group that is enabled for access to Azure portal. Then the access package expires, they get removed from the group and looses access to Azure portal and the ability the elevate using PIM.
https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-package-createHow about Entra PIM with Conditional Access Authentication:
Configure PIM for Groups settings - Microsoft Entra ID Governance | Microsoft Learn
