PIM Groups prevent permanent assignment

Brass Contributor


I am designing a PIM implementation and was planning on leveraging PIM groups for most privileged access management scenarios. I created a group and PIM-enabled it and configured the settings to prevent permanent assignment.

However, I find I can still assign permanent members via the normal Entra ID Groups section where you add members to a normal group. Then when I check the PIM section I see a permanent assignment.

Is there a way of preventing this?



1 Reply
Bringing the group to PIM does not prevent changes to it (or its members). Even for role-assignable groups, such are possible (but limited to GA and Privileged Role admin). Details are here: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/concept-pim-for...