25,185 questions
With groups you can use this feature:
This will make them only eligible. I use this and works as expected:
In PIM I have disallowed permanent active assignment for a group, but in AAD I can add the a permanent group member
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 34%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Andy Knifton
20
Reputation points
I've set a group in PIM to not allow permanent active assignment but when I add a user to the group in AAD, the user is assigned permanent active membership. This doesn't seem right.
I'm trying to configure the group so active membership can only be assigned for a certain time period (ideally 4 hours). Does anyone know a way of doing this?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator2023-09-13T11:56:54.3033333+00:00 -
Andy Knifton 20 Reputation points
2023-09-13T12:30:33.85+00:00 Thanks Andy. Yes- I had read that documentation. I now think that I am expecting PIM to do something it is not really designed for. PIM seems to work just fine from a "self-service" PoV (i.e. when the user manages their own activations (group memberships)) I was hoping it would also cover the "admin" PoV (i.e. if an admin added the user to the group they would then be removed after the configured time). It seems that is not the case. I will look for another solution.
Sign in to comment -