Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Remove a privileged access group?

Brass Contributor

Please could someone advise how to remove a `Privileged Access Group` from PIM?

I deleted the security group from AAD, however, the group has not been removed from Privileged Access Groups.

18 Replies

@TS-noodlemctwoodle Hi, sounds like this could be what you're describing.

 

  • Azure AD P2 licensed customers only Even after deleting the group, it is still shown an eligible member of the role in PIM UI. Functionally there's no problem; it's just a cache issue in the Azure portal.

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/roles-groups-concept#know... 

 

@ChristianBergstrom  I initially thought it might be a caching issue, however, its been 5 days now that the group remains in PIM and has been removed from AAD.

@TS-noodlemctwoodle Hey, from my understanding that is the issue (gonna stay there until they fix it).

 

"We are fixing these issues."

 

You could reach out to the Microsoft support, meaning creating a service request, to have an official response though.

@TS-noodlemctwoodle and @ChristianBergstrom , I have the same issue. Group is deleted in Azure AD, but it's still showing under "privileged access groups (Preview)" in the Groups and PIM section.

 

I even looked for the Object ID via PowerShell and the Azure AD Group IS DELETED.

 

Any ETA on when they will clear the cache?

@Deleted Hello, thanks for the info. I have no idea to be honest. But you should open up a ticket with the official support to get an estimation or at least a better explanation than the "we are fixing this".

 

Would you mind updating this conversation if you do that? Thanks!

@ChristianBergstrom, I submitted a ticket. We are facing both of the AD P2 issues outlined with Group-based role assignment in Azure AD.

@TS-noodlemctwoodle and @ChristianBergstrom, I realise that when an active group is renamed it does not update in PIM either. Seems the caching issue is more widespread than just deletion. 

I'd be interested to know if support were able to resolve the issue?

Were you able to solve this problem?
We run into the same problem (almost half a year later...)

We are running into the same issue as well and it's causing issues with our PIM Role assignments for the same roles.   

 

@rdamnl 

It takes 24 hours for the name change or group removal will take place. Also check if you use the latest version of PIM.
Ye, looks like it is still an ongoing issue. have deleted he PAG group but it persists in PIM.....
Any news on this ? I am trying to work with such Groups and just renamed the groups... I noticed that in Catalogs of the Identity Management there is an option to "Refresh from Origin" button that seems to fix this... Hopefully we get something like that in PIM Groups.

I was kinda hoping this was fixed after 3,5 years, but it doesn't look like it is.

Same here. I just deleted a security group from AAD, and it still persists in my PIM group roles.

I've waited in case it was something related to the cache, and I even recreated the same group, with the same permissions, and assigned it to the same users to see if the information could be overwritten for later deletion, but nothing.

There seems to be no solution at the moment.

o remove a Privileged Access Group from PIM, you'll need to follow these steps Igi 1 for PC:

Go to the Azure portal.
Navigate to Azure AD.
Select "Azure AD Privileged Identity Management."
Under "Roles," choose "Privileged Access Groups" and locate the group you want to remove.
Click on the group, and in the top menu, select "Delete."
This should remove the Privileged Access Group from PIM after deleting it from AAD.

I have been able to remove it from my PIM group roles, but there's still a trace of it in the group management options of the PIM solution.

Thanks for the info anyway!

@Juan_Framil 

BetterTouchTool For Mac Version 4.388 Overview