Activating Multiple AD roles together with PIM

MSILinda
Copper Contributor
Aug 15, 2024
Using PIM Groups requires you to have Permanent Assignments which does not follow security best practices. They are asking for how to activate daily multiple PIM roles at once....not just have it permanently assigned.
- P4tr8k
  Brass Contributor
  Aug 16, 2024
  MSILinda thanks but no, in groups you can use both scenario (eligible and active). Regards!
  - MSILinda
    Copper Contributor
    Aug 16, 2024
    Correct I didn't word that correctly. It allows you to make Eligible Assignments to Groups, but that does not solve this problem. This inquiry was how to activate multiple roles at once which you cannot bulk activate roles with groups. The only way to bulk activate roles for a user is through PowerShell.
buenetreech
Copper Contributor
Feb 03, 2024
Hi,

We would like to combine the following Entra ID roles into one group so that the user is assigned all roles in one step:
- Global Reader
- Security Reader
- Attribut Assignment Reader
According to this link (https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/concept-pim-for-groups#making-group-of-users-eligible-for-microsoft-entra-role), this needs to be done via step 2 (Make active assignment of a role to a group and assign users to be eligible to group membership) BUT the next paragraph states that this is not recommended with security-relevant groups (may take significant time). What is the best practices in my case?

Many thanks and regards, Daniel
Skywalker0077
Copper Contributor
Nov 10, 2022
Thanks. This is perfect

Forum Discussion

Activating Multiple AD roles together with PIM

Resources