Forum Discussion
Solved
Activating Multiple AD roles together with PIM
I have got users with multiple Azure AD roles and PIM has been enabled. Is there a way to activate PIM once which will then activate two or more roles at the same time or users have no choice that to activate one by one.?
- Hi,
you can use Privileged Access Groups feature:
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-features#activate-multiple-role-assignments-in-a-single-request
7 Replies
- This inquiry was how to activate multiple roles at once which you cannot bulk activate roles with groups. You can only bulk ASSIGN with Groups. The only way to bulk ACTIVATE roles for a user is through PowerShell.
- Hi,
you can use Privileged Access Groups feature:
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-features#activate-multiple-role-assignments-in-a-single-requestUsing PIM Groups requires you to have Permanent Assignments which does not follow security best practices. They are asking for how to activate daily multiple PIM roles at once....not just have it permanently assigned.
- Hi,
We would like to combine the following Entra ID roles into one group so that the user is assigned all roles in one step:
- Global Reader
- Security Reader
- Attribut Assignment Reader
According to this link (https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/concept-pim-for-groups#making-group-of-users-eligible-for-microsoft-entra-role), this needs to be done via step 2 (Make active assignment of a role to a group and assign users to be eligible to group membership) BUT the next paragraph states that this is not recommended with security-relevant groups (may take significant time). What is the best practices in my case?
Many thanks and regards, Daniel - Thanks. This is perfect
