cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

PIM for security group membership for a Sass application role

Gurdev Singh
Iron Contributor

‎Mar 16 2022 04:21 PM - last edited on ‎Feb 10 2023 02:36 PM by

‎Mar 16 2022 04:21 PM - last edited on ‎Feb 10 2023 02:36 PM by

PIM for security group membership for a Sass application role

Can PIM be used for membership of a plain security group? We have a Sass application configured with SSO using Azure AD and admin roles in Sass app are controlled via an Azure AD security group. This security group does not have any Azure AD or Azure roles assigned. 

 

Could we use PIM to assign group membership of this security group as Eligible? Up-on activation, admins will then become active members of the group and get JIT access to Sass app.

Labels:
1,148 Views
0 Likes
2 Replies
Reply
2 Replies
Vadim_Dich

‎Mar 17 2022 01:14 AM

‎Mar 17 2022 01:14 AM

Re: PIM for security group membership for a Sass application role

AFAIK you cannot achieve that in a direct way but it might work if you define a custom admin role scoped to a resource: https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-create#assign-a-custom-role-sco....
0 Likes
Reply
best response confirmed by Gurdev Singh (Iron Contributor)
ChristofferL

‎Jun 13 2022 04:39 AM

‎Jun 13 2022 04:39 AM

Solution

Re: PIM for security group membership for a Sass application role

Have you checked 'Privileged Access groups'?

 

You can set up just-in-time access to permissions and roles beyond Azure AD and Azure Resource. If you have other resources whose authorization can be connected to an Azure AD security group (for Azure Key Vault, Intune, Azure SQL, or other apps and services), you should enable privileged access on the group and assign users as eligible for membership in the group.

 

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-featur...
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/concept-privi...

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Gurdev Singh (Iron Contributor)
ChristofferL

‎Jun 13 2022 04:39 AM

‎Jun 13 2022 04:39 AM

Solution

Re: PIM for security group membership for a Sass application role

Have you checked 'Privileged Access groups'?

 

You can set up just-in-time access to permissions and roles beyond Azure AD and Azure Resource. If you have other resources whose authorization can be connected to an Azure AD security group (for Azure Key Vault, Intune, Azure SQL, or other apps and services), you should enable privileged access on the group and assign users as eligible for membership in the group.

 

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-featur...
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/concept-privi...

View solution in original post

0 Likes
Reply