Discussion around different ways to implement PIM for Azure resources
I've found there are two ways to use PIM to grant access to Azure resources and I'd like to understand the differences, if any, between the two. The outcome is the same however the process/workflow to achieve it is different.
Method 1
Create an Entra ID group, assign it to a specific scope (e.g. management group) and role (e.g. Contributor) and use PIM to manage just-in-time membership in the group. The user, when activating their eligible PIM assignment will then be a member of that group and inherit whatever role that group has been assigned.
When viewing the "Access control (IAM)" property of a resource, you will not see the user in the list as they're a member of the Entra ID group, but clicking on "View my access" will show the effective access/role.
This is using the Assign eligibility for a group in Privileged Identity Management method.
Method 2
Create an Entra ID group and add users to it. Use PIM to assign the group an Azure role (e.g. Contributor) to a specific scope (e.g. management group). The user, when activating their eligible PIM assignment, will then have the specified role at the defined scope.
When viewing the "Access control (IAM)" property of a resource, you will see the user has a direct role assignment at the specified scope.
This is using the Assign Azure resource roles in Privileged Identity Management method.
So as you can see, there are two methods. Apart from the initial configuration, are there any security, or any other implications, of choosing one over the other? Thank you!