cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Can we Configure AAD Roles assignment Automatically for few hours and expire?

AmirShahzad
Copper Contributor

‎Jul 27 2022 01:52 PM

‎Jul 27 2022 01:52 PM

Can we Configure AAD Roles assignment Automatically for few hours and expire?

Hi All,

 

I would really appreciate your input into the following:

 

Can we Configure AAD Roles assignment Automatically for few hours and expire? We have E5 licenses assigned to all users and upgraded AAD to P2.

 

The Management is asking if it is possible with Azure AD Governance PIM feature that:

 

We should have only two users as global Admins. 

All other Users who need Admin privilege from time to time may "request" AAD Role Assignment i.e. Sharepoint Administrator or Teams Administrator etc gets assigned automatically the role for a limited time like few hours and then this role expires(UnAssigned)  automatically as well. When the Tech support L1 or L2 needs it again then request and get assigned for few hours again. 

 

Also For more critical roles like Application Administrator or Global Administrator the L1 / L2 support admins need to request the role and the role be manually assigned, for few hours, not months / year.

 

Does AAD PIM offer few hour activation as well?

 

Any help would be greatly appreciated.

 

Regards,

Amir.

Labels:
1,257 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by AmirShahzad (Copper Contributor)
eliekarkafy

‎Jul 29 2022 01:29 AM

‎Jul 29 2022 01:29 AM

Solution

Re: Can we Configure AAD Roles assignment Automatically for few hours and expire?

@AmirShahzad The Azure AD Privileged Identity Management (PIM) service also allows Privileged role administrators to make permanent admin role assignments. Additionally, Privileged role administrators can make users eligible for Azure AD admin roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they're done.
refer to below link to see how to configure it
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-ad...
1 Like
Reply
eliekarkafy

‎Jul 29 2022 10:20 AM

‎Jul 29 2022 10:20 AM

Re: Can we Configure AAD Roles assignment Automatically for few hours and expire?

@AmirShahzad appreciate if you could mark my response as correct answer/best response if it did provide the information to your query, that will help us better understand what kind of information actually helps.
0 Likes
Reply
AmirShahzad

‎Aug 02 2022 06:31 AM

‎Aug 02 2022 06:31 AM

Re: Can we Configure AAD Roles assignment Automatically for few hours and expire?

Thank you for the reply.
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by AmirShahzad (Copper Contributor)
eliekarkafy

‎Jul 29 2022 01:29 AM

‎Jul 29 2022 01:29 AM

Solution

Re: Can we Configure AAD Roles assignment Automatically for few hours and expire?

@AmirShahzad The Azure AD Privileged Identity Management (PIM) service also allows Privileged role administrators to make permanent admin role assignments. Additionally, Privileged role administrators can make users eligible for Azure AD admin roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they're done.
refer to below link to see how to configure it
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-ad...

View solution in original post

1 Like
Reply