Azure PIM and Limiting Group Membership

Connor Charles 0 Reputation points
2023-09-07T10:34:00.8466667+00:00

I am currently working on configuring an access management solution for an Azure Enterprise App, whereby we are looking to utilise Azure PIM for users to request access to a Group, which is assigned to an Azure Enterprise App. Whilst this process is working, and we have configured Azure PIM to limit user access to a couple of hours, we have a further requirement to ensure that only 1 user can use the Enterprise app at once.

What we'd like to do, is enforce a policy that limits membership of the group to a single user at once - if someone requests access to the group via Azure PIM, if there is already a member present, the request will be rejected. If there are no users present, their request will be approved.

From doing some research, I'm not sure this is possible, but was hoping someone may have some advice on how to approach this?

Many thanks in advance!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,750 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 147.9K Reputation points MVP
    2023-09-07T11:39:15.7733333+00:00

    Yea, there is nothing built-in that would automatically limit 1 at a time.

    What you could do is require Approvals to elevate and then it would be on the approvers to check to see if somone is already elevated and reject the PIM request:

    https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-approval-workflow

    Otherwise you would have to spin up something on your own to check that automatically or add and remove users from the PIM group dynamically. Sounds like more work that its worth though.

    Be sure to have global admin breakglass accounts as well so you dont lock yourself out!

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.