Azure AD Privileged Identity Management (PIM) offers organizations a comprehensive solution for managing, monitoring, and auditing access to their Azure resources. Among its key functionalities, Azure AD PIM allows the implementation of just-in-time (JIT) access to both Azure AD and Azure resources. Sometime ago Microsoft released preview feature that enable the usage of Azure AD PIM for Azure AD role-assignable groups.
Since then, this feature has been fully released (General Availability) with some noteworthy enhancements. Previously, utilizing Azure AD PIM with groups required them to be Azure AD role-assignable groups. However, the functionality has now been extended to encompass any Azure AD security group and any Microsoft 365 group, irrespective of whether they are role-assignable groups or not. In this blog post, I will be providing a demonstration of how to enable Azure AD PIM for an Azure AD security group.
Let's discuss the key points about Azure AD Privileged Identity Management (PIM) for groups:
Azure AD PIM for groups has certain limitations: It does not support dynamic groups or groups synchronized from on-premises directories.
Azure AD role-assignable groups have a maximum limit of 500 groups. This constraint is imposed by Azure AD itself and not by Azure AD PIM. However, for security groups, this 500 group limit does not apply.
Azure AD PIM for groups fully supports nested groups. If a group is eligible for membership in another group, the members of the nested group can activate their membership in the parent group through Azure AD PIM.
Let’s go ahead and see how this actually works.
In my demo environment, I already have an Azure AD security group called “RebelTest Group A” and it doesn’t have any members assigned.
Let's explore how to enable Azure AD Privileged Identity Management (PIM) for a specific group and understand its functionalities through a step-by-step process:
Enabling Azure AD PIM for a Group
Start by logging in to the Azure portal at https://portal.azure.com/ using Global Administrator or Privileged Role Administrator credentials.
Navigate to Azure AD Privileged Identity Management and select Groups.
Select Discover groups to proceed.
In the new page, search for the desired security group and select it from the list. Then, select Manage Groups.
Confirm the onboarding of the selected group(s) to Azure AD PIM by selecting OK when prompted.
Return to the Azure AD PIM groups page to observe the newly onboarded group.
To add a user as an eligible member to the group, select the group name, followed by Assignments in the group page.
Select + Add assignment to initiate the configuration process.
In the configuration window, select Member for the role, then visit the link under Select member(s) to choose users for the role. Then select Next to proceed.
On the settings page, keep the assignment type as Eligible and set the allowed eligible duration (e.g., 1 year). Once the settings are confirmed, Select Assign to complete the user assignment process.
Next, configure the approval process for the role by selecting Settings in the assignment page.
From the Role list, select Member to access the PIM settings for the role. Then select Edit to modify the default settings.
In the role settings page, select Require approval to activate and specify the user as the approver. Then select Update to finalize the configuration.
This complete the Azure AD PIM for group configuration. Let’s see how its really works for the group members and approvers.