Forum Discussion
Entra-ID Privileged Identity Management for Groups
We have used PIM for groups to assign certain Azure Security groups to eligible users. For example a group which provides the contributor role to a certain subscription. This group is added in PIM for groups, and eligible users have been assigned to the group, in which they can provide themselves with the privileges if required to do so for maximum 8 hours.
However, when we assign a user to a PIM protected group, then there is no way to tell from the user's properties, that the user has been assigned (eligible) to a PIM protected group. Therefore wouldn't it be better to create PIM groups and add the assigned user as a member of a PIM group, and assign the PIM group as eligible to the PIM protected group? Then you would able to see from the Groups list if the user is illegible for any PIM groups.
Agree, it is also the way we configure for customers at the company I work for.
Using this approach will make it more visible :)You may consider this:
- Create a PIM Management Group: Use this as a "layer" to group users who are eligible for specific roles or privileges.
- Assign Users to the PIM Management Group: By assigning users as members of this group, you create a clear, visible association between the user and the group that grants eligibility for specific privileges.
- Assign PIM Management Groups to PIM-Protected Groups: Instead of assigning individual users directly as eligible to the PIM-protected group, make the PIM management group itself eligible.
Benefits:
- Improved Visibility: By looking at the Groups list, you can easily track and identify the eligibility of a user based on their membership in the management group.
- Ease of Management: Modifications to eligibility can be handled at the group level, simplifying operations compared to managing individual user assignments.
This is exactly what i ment. Just wanted to make sure that it is considered as a valid solution.
