Limitation error on extend Global Administrator role

Mohsen Akhavan 936 Reputation points
2023-03-03T06:21:59.06+00:00

I have a user that assigned a Global Administrator role (3 months). Now, I want to extend this role for example 3 months but I received this error:

Assignments are maximum of 15 days.

Where is this limitation and how can I extend it?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
687 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,890 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Tech-Hyd-1989 5,751 Reputation points
    2023-03-03T06:29:04.31+00:00

    Hello Mohsen Akhavan,

    I hope I can help you with this question.

    The limitation you are referring to is a default restriction set by Microsoft for the duration of Azure AD administrator role assignments. By default, the maximum duration for any administrator role assignment is 15 days, regardless of the type of role.

    To extend the role assignment duration beyond the default limit, you can use the Azure AD Privileged Identity Management (PIM) feature. With PIM, you can create custom role assignments with specific duration periods, including ones longer than 15 days.

    To extend the role assignment for your user using PIM, follow these steps:

    1. Navigate to the Azure portal and select "Azure Active Directory" from the left-hand menu.
    2. Click on the "Privileged Identity Management" option.
    3. Select the "Azure AD roles" option from the "Manage" menu.
    4. Find the user who you want to extend the role assignment for and click on the "Activate" button next to their name.
    5. In the "Activation" pane that appears, select the "Custom duration" option.
    6. Set the desired duration for the role assignment and click "Activate" to confirm the changes.
      1. After completing these steps, the user's role assignment should be extended for the duration you specified.

    Note that PIM is available only in Azure AD Premium P2 and Azure AD Free Trial subscriptions. If you don't have access to PIM, you can create a PowerShell script to automate the assignment of the role every 15 days.

    Doc link for your help:
    https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-renew-extend
    https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles

    Please accept as answer and upvote if the above information is helpful for the benefit of the community.