Azure PIM and Limiting Group Membership

Connor Charles 0 Reputation points
2023-09-07T10:34:00.8466667+00:00

I am currently working on configuring an access management solution for an Azure Enterprise App, whereby we are looking to utilise Azure PIM for users to request access to a Group, which is assigned to an Azure Enterprise App. Whilst this process is working, and we have configured Azure PIM to limit user access to a couple of hours, we have a further requirement to ensure that only 1 user can use the Enterprise app at once.

What we'd like to do, is enforce a policy that limits membership of the group to a single user at once - if someone requests access to the group via Azure PIM, if there is already a member present, the request will be rejected. If there are no users present, their request will be approved.

From doing some research, I'm not sure this is possible, but was hoping someone may have some advice on how to approach this?

Many thanks in advance!

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,682 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 130.9K Reputation points MVP
    2023-09-07T11:39:15.7733333+00:00

    Yea, there is nothing built-in that would automatically limit 1 at a time.

    What you could do is require Approvals to elevate and then it would be on the approvers to check to see if somone is already elevated and reject the PIM request:

    https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-approval-workflow

    Otherwise you would have to spin up something on your own to check that automatically or add and remove users from the PIM group dynamically. Sounds like more work that its worth though.

    Be sure to have global admin breakglass accounts as well so you dont lock yourself out!

    0 comments