How to migrate all Entra users from static access to PIM?

Question

I want to implement PIM for all users who are assigned Entra AD roles as permanent assignments. Now I need to implement PIM so that these active role assignments can be converted to PIM eligible. How can I do that? Is there any auto or APIs available for the same or any parameters in UI using which I can convert to PIM eligible roles assignments without changing any existing scope?

Answer 1

Hello Neel Darji,

Thank you for posting this in the Microsoft Q&A Community.

From my understanding, you would like to know how to automate PIM deployment for all users with assigned roles within your organization.

The best way to do this is to create groups and assign PIM to the groups. Follow this link to get more information

https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/groups-assign-member-owner

However, please be informed that when deploying PIM in a production environment, it is best to have a proper plan before doing so. It is not a best practice to implement PIM or deploy PIM for all users at once.

There are a few things to plan for; how many approvals, how many users will be assigned eligible roles, and how long you want users to keep the role (in the form of the usage windows before they need to make a new request).

Kindly follow the link https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-deployment-plan to get more information on how to Plan a Privileged Identity Management deployment and also this link https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-getting-started to get started with PIM.

Let me know if further assistance is required.

Babafemi