enable Azure PIM for Resources / Resource Group level

Question

enable Azure PIM for Resources / Resource Group level

NeelDarji-7992 91

Hello All,

I have couple of questions for Azure PIM:

If I assign 5 PIM enabled roles to any user as Eligible, can they activate each one-by-one? If yes, which role will be most effective among 5? For example, I have Reader role on ABC subscription and Owner role on Management group also inside which I have ABC subscription. If I activate both, will it give me Reader access on ABC subscription or Owner access to Mangement Group?
Same for Entra Roles I have question.
If I want to assign PIM Role to any user to specific resource or resource group level for ABC subscription. Can I achieve that and if yes, how?

Navya 20,100 Reputation points Microsoft External Staff Moderator

2024-02-13T09:09:06.9466667+00:00

Hi @Neel Darji
Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.
Navya 20,100 Reputation points Microsoft External Staff Moderator

2024-02-15T04:21:28.31+00:00

@Neel Darji
If the information below has been helpful in addressing your question, please accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2024-02-15T20:49:23.2966667+00:00

@Neel Darji
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Accepted answer

0 additional answers

Your answer

Navya 20,100 Reputation points Microsoft External Staff Moderator

2024-02-13T09:09:06.9466667+00:00

Hi @Neel Darji
Following up to see if the below answer was helpful. Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions. if you have any further query do let us know.
Navya 20,100 Reputation points Microsoft External Staff Moderator

2024-02-15T04:21:28.31+00:00

@Neel Darji
If the information below has been helpful in addressing your question, please accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2024-02-15T20:49:23.2966667+00:00

@Neel Darji
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Hi @Neel Darji

Thank you for posting this in Microsoft Q&A.

If I assign 5 PIM enabled roles to any user as Eligible, can they activate each one-by-one? If yes, which role will be most effective among 5? For example, I have Reader role on ABC subscription and Owner role on Management group also inside which I have ABC subscription. If I activate both, will it give me Reader access on ABC subscription or Owner access to Mangement Group?

Yes, if you assign 5 PIM enabled roles to any user as Eligible, they can activate each one-by-one. If you activate both the Reader role on ABC subscription and the Owner role on the Management group, you will have Owner access to the management group and all the subscriptions under it, including ABC subscription. This is because the Owner role has more permissions than the Reader role, and the management group scope is broader than the subscription scope.

For your reference: Multiple Role Assignments
Understand scope for Azure RBAC

Same for Entra Roles I have question.

For example, if you have Global Administrator role and Application Administrator Entra role. The Global Administrator role will have higher priority and will grant the user full control over all aspects of Microsoft Entra ID, including application management.

If I want to assign PIM Role to any user to specific resource or resource group level for ABC subscription. Can I achieve that and if yes, how?

Yes, you can Assign PIM Role to any user to specific resource or resource group level for ABC subscription.

Please follow the steps mentioned in the document : Azure resource roles in Privileged Identity Management

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

enable Azure PIM for Resources / Resource Group level

0 additional answers

Your answer