When activating PIM for Azure resources what happens to existing RBAC

Kris 26 Reputation points
2021-02-09T09:50:25.12+00:00

Struggeling here to find a clear answer for this, hopefully someone can shed some light on this. When activating PIM for Azure Resources: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles what happends to existing RBAC assigment and the ability to assign roles using regular RBAC (Outside PIM).

For example if we today have subscription RBAC assignment:
Role: Contributor
Assigments: AAD-Group01, AAD-Group02, AAD-Group03

If we bring the subscription and Contributor Role under PIM management what happens to 1)our existing assigments 2)The ability to make "non-pim" aasignments for the Contributor role?

Microsoft Entra
0 comments No comments
{count} votes

Accepted answer
  1. Sam Cogan 10,757 Reputation points MVP
    2021-02-09T17:16:58.087+00:00

    Nothing happens to any existing assignments or your ability to add assignments outside of PIM. Your existing assignments will still apply unless you remove them, but obviously if your aim is to control rights via PIM you may choose to remove them at some point.

    You can still assign roles outside of PIM if you have the rights to do so, but if your going to use PIM you'd be best to manage roles inside PIM if you can.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.