Manage eligibility for PIM managed groups using Access Packages

Matthias Vandenberghe · ‎Jun 20 2023

Hi,

I would like to use Catalogs and Access Packages to manage eligible membership to PIM managed groups.

I've created the AAD security groups and brought them under PIM management,

I've built the catalog and added the groups as a resource,

I've created the access packages.

When creating the access packages I can select the PIM managed groups, but the only roles I can choose are "Owner" and "Member", but there is no option to select whether this role is to be assigned as "Active" or "Eligible".

Since the whole point of using PIM managed groups is to be able to use Eligible assignments, is seems a bit stupid I can't assign users as eligible using access packages....

So, two questions:

Is there a way to assign the Group Membership role as eligible using access packages?
If not, is it on the roadmap?

If anyone has the link to vote up this, this is more than welcome!

Thanks for your inputs already!

Chandrasekhar_Arya · ‎Jun 20 2023

It was much needed feature but Microsoft primary focus of creating Access Packages on managing access to applications and resources. weather they are privilege or non-privilage user By creating a custom access package that includes the Group Membership role as one of the entitlements. refer this article https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-pa...

Matthias Vandenberghe · ‎Jun 20 2023

Hi,

Creating the access package is not the issue, neither is adding the PIM managed groups as a resource. The problem is that the role "Member - eligible" is not available. You can only assign the role "member" or "owner" which adds the user as active member or owner to the PIM managed group, not as eligible.... Which renders the complete point of having PIM managed groups useless.

Matthias Vandenberghe · ‎Jun 20 2023

Added the following UserVoice entry, so everyone who is also missing this functionality, please upvote.
https://feedback.azure.com/d365community/idea/6fce8514-6c0f-ee11-a81c-000d3a0d3715

Thanks a lot already!!
:folded_hands::folded_hands::folded_hands::folded_hands:

SamrishS · ‎Nov 22 2023

@Matthias Vandenberghe
Something, I have been thinking about for a while now too.
I have come up with a theory of double grouping to hopefully solve this issue.
PIM Group contains a normal group as eligible which gets added to the access package.

Still to be tested but hopefully a workaround.

Samrish

Michael Goethals · ‎Nov 24 2023

@Matthias Vandenberghe

You can use custom extensions (based on logic apps) within Access Packages. In this logic apps flow you can trigger an HTTP post request to Graph API. See: Create eligibilityScheduleRequest - Microsoft Graph v1.0 | Microsoft Learn

Matthias Vandenberghe · ‎Jun 20 2023

Added the following UserVoice entry, so everyone who is also missing this functionality, please upvote.
https://feedback.azure.com/d365community/idea/6fce8514-6c0f-ee11-a81c-000d3a0d3715

Thanks a lot already!!
:folded_hands::folded_hands::folded_hands::folded_hands:

View solution in original post

Manage eligibility for PIM managed groups using Access Packages

Manage eligibility for PIM managed groups using Access Packages

Re: Manage eligibility for PIM managed groups using Access Packages

Re: Manage eligibility for PIM managed groups using Access Packages

Re: Manage eligibility for PIM managed groups using Access Packages

Re: Manage eligibility for PIM managed groups using Access Packages

Re: Manage eligibility for PIM managed groups using Access Packages

Re: Manage eligibility for PIM managed groups using Access Packages

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Manage eligibility for PIM managed groups using Access Packages