Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
993 questions
Discussion around different ways to implement PIM for Azure resources
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 21%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
KFM
86
Reputation points
I've found there are two ways to use PIM to grant access to Azure resources and I'd like to understand the differences, if any, between the two. The outcome is the same however the process/workflow to achieve it is different.
Method 1
Create an Entra ID group, assign it to a specific scope (e.g. management group) and role (e.g. Contributor) and use PIM to manage just-in-time membership in the group. The user, when activating their eligible PIM assignment will then be a member of that group and inherit whatever role that group has been assigned.
When viewing the "Access control (IAM)" property of a resource, you will not see the user in the list as they're a member of the Entra ID group, but clicking on "View my access" will show the effective access/role.
This is using the Assign eligibility for a group in Privileged Identity Management method.
Method 2
Create an Entra ID group and add users to it. Use PIM to assign the group an Azure role (e.g. Contributor) to a specific scope (e.g. management group). The user, when activating their eligible PIM assignment, will then have the specified role at the defined scope.
When viewing the "Access control (IAM)" property of a resource, you will see the user has a direct role assignment at the specified scope.
This is using the Assign Azure resource roles in Privileged Identity Management method.
So as you can see, there are two methods. Apart from the initial configuration, are there any security, or any other implications, of choosing one over the other? Thank you!
Azure
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
683 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,870 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Sandeep G-MSFT 14,916 Reputation points Microsoft Employee2024-02-02T03:36:22.51+00:00 @KFM
Thank you for posting this in Microsoft Q&A. I am looking into this issue and will get back to you post my research. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 75%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
AH 25 Reputation points2024-04-30T15:31:51.71+00:00 Hi @Sandeep G-MSFT , any update on this ? Thanks
Sign in to comment