Forum Discussion
Need Method to Allow PIM Group Elevation Without Granting Full Access to Azure Portal
I’m currently managing Conditional Access policies in our tenant to enforce strict access to the Azure portal. Specifically, we've restricted access to azure unless the user is coming from an approve...
Not very easy, but you would use access packages in Entra ID, allowing users to request (with auto approve) access to an access package that joins the users to a group that is enabled for access to Azure portal. Then the access package expires, they get removed from the group and looses access to Azure portal and the ability the elevate using PIM.
https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-access-package-create