Forum Discussion
Activating Multiple AD roles together with PIM
I have got users with multiple Azure AD roles and PIM has been enabled. Is there a way to activate PIM once which will then activate two or more roles at the same time or users have no choice that to activate one by one.?
- Hi,
you can use Privileged Access Groups feature:
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-features#activate-multiple-role-assignments-in-a-single-request
8 Replies
The link offered by P4tr8k on Nov 07, 2022 doesn't work (I suspect because the content of the target web page has changed to longer included the targeted text), but we've been able to achieve the desired results that Skywalker0077 asked for, something like so.
- Create a group in Entra ID with Microsoft Entra roles can be assigned to the group set to Yes
- With the group selected, click on Assigned Roles then add the Roles required as Active Assignments (not Eligible Assignments...unless you want to defeat the whole purpose of this exercise!)
- With the group selected, click on Privileged Identity Management (under Activity) to add in the staff you want to apply this to as Eligible Assignments.
Now, when each member of your Support staff wants to enable their roles in one go they should
- Log in to Entra
- Go to Privileged Identity Management
- Click on My roles.
- Click on Groups (rather than Microsoft Entra roles, as they would have before)
- Click on the Activate link...
- ...and complete the Reason field (don't laugh!)
This activates their membership of the group, which grants them the Active Roles assigned to that Group.
---
Whether this is a good idea or not is another question!
I think as long as it's used thoughtfully for only a few, relatively 'harmless' roles, I guess it's okay. It definitely shouldn't be used for high privilege roles like Global Administrator, nor to grant a high number of roles.
In other words, if it's to ease workflow for frequently used roles and prevent 'security fatigue' then it's okay, but if it's just for convenience (aka laziness) in order to circumvent security protocols then it's a bad idea.
- This inquiry was how to activate multiple roles at once which you cannot bulk activate roles with groups. You can only bulk ASSIGN with Groups. The only way to bulk ACTIVATE roles for a user is through PowerShell.
- Hi,
you can use Privileged Access Groups feature:
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-features#activate-multiple-role-assignments-in-a-single-requestUsing PIM Groups requires you to have Permanent Assignments which does not follow security best practices. They are asking for how to activate daily multiple PIM roles at once....not just have it permanently assigned.
- Hi,
We would like to combine the following Entra ID roles into one group so that the user is assigned all roles in one step:
- Global Reader
- Security Reader
- Attribut Assignment Reader
According to this link (https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/concept-pim-for-groups#making-group-of-users-eligible-for-microsoft-entra-role), this needs to be done via step 2 (Make active assignment of a role to a group and assign users to be eligible to group membership) BUT the next paragraph states that this is not recommended with security-relevant groups (may take significant time). What is the best practices in my case?
Many thanks and regards, Daniel - Thanks. This is perfect
