Forum Discussion
Manage eligibility for PIM managed groups using Access Packages
Hi,
I would like to use Catalogs and Access Packages to manage eligible membership to PIM managed groups.
I've created the AAD security groups and brought them under PIM management,
I've built the catalog and added the groups as a resource,
I've created the access packages.
When creating the access packages I can select the PIM managed groups, but the only roles I can choose are "Owner" and "Member", but there is no option to select whether this role is to be assigned as "Active" or "Eligible".
Since the whole point of using PIM managed groups is to be able to use Eligible assignments, is seems a bit stupid I can't assign users as eligible using access packages....
So, two questions:
- Is there a way to assign the Group Membership role as eligible using access packages?
- If not, is it on the roadmap?
If anyone has the link to vote up this, this is more than welcome!
Thanks for your inputs already!
- Added the following UserVoice entry, so everyone who is also missing this functionality, please upvote.
https://feedback.azure.com/d365community/idea/6fce8514-6c0f-ee11-a81c-000d3a0d3715
Thanks a lot already!!
🙏🙏🙏🙏
5 Replies
You can use custom extensions (based on logic apps) within Access Packages. In this logic apps flow you can trigger an HTTP post request to Graph API. See: https://learn.microsoft.com/en-us/graph/api/privilegedaccessgroup-post-eligibilityschedulerequests?view=graph-rest-1.0&tabs=http
Matthias_VDB
Something, I have been thinking about for a while now too.
I have come up with a theory of double grouping to hopefully solve this issue.
PIM Group contains a normal group as eligible which gets added to the access package.
Still to be tested but hopefully a workaround.Samrish
- Added the following UserVoice entry, so everyone who is also missing this functionality, please upvote.
https://feedback.azure.com/d365community/idea/6fce8514-6c0f-ee11-a81c-000d3a0d3715
Thanks a lot already!!
🙏🙏🙏🙏 - It was much needed feature but Microsoft primary focus of creating Access Packages on managing access to applications and resources. weather they are privilege or non-privilage user By creating a custom access package that includes the Group Membership role as one of the entitlements. refer this article https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-create
- Hi,
Creating the access package is not the issue, neither is adding the PIM managed groups as a resource. The problem is that the role "Member - eligible" is not available. You can only assign the role "member" or "owner" which adds the user as active member or owner to the PIM managed group, not as eligible.... Which renders the complete point of having PIM managed groups useless.
