question

InRainbows-2508 avatar image
0 Votes"
InRainbows-2508 asked amanpreetsingh-msft commented

How to bundle roles

Users on our support line needs to activate 5-7 roles in Privileged Identity Manager every day to get admin access to Teams, SharePoint, Intune etc.

Activating every role is time consuming and irritating, and it's easy to confuse which one you need.

So how can I bundle these roles so they only need to activate one role every day.
For security reasons they are not given Global admin access.

azure-ad-privileged-identity-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @InRainbows-2508 • Thank you for reaching out.

This can be done by using Privileged Access Groups. For this purpose, you need to follow below steps:

  • Under Azure AD > Groups > Create a new group > Select Yes for Azure AD Roles can be assigned to the group > Under Roles, select desired roles like, Exchage Online Admin, SharePoint Admin, Teams Admin etc.
    145544-image.png

  • Once the group is created, enable privilege access, as shown below:
    145450-image.png

  • Under Members blade of the group, Add Eligible Assignments
    145499-image.png

  • Eligible users can then go to Privileged Identity Management blade and activate their membership to the group, as shown below:
    145500-image.png

Once the membership to the group is activated, user will be able to use the privileges/roles assigned to the group, without requesting access to each role individually.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (22.6 KiB)
image.png (21.2 KiB)
image.png (25.3 KiB)
image.png (38.6 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you so much for the solution and a detailed how-to. This resolved the issue.

I feel like the information provided by Microsoft here was not explained very well. I might be looking in the wrong place.


0 Votes 0 ·

Hi @InRainbows-2508 · Thank you for the update. Yes, the information is not provided in the same document, you can find more details in the links provided under next steps section of the document you referred to.

0 Votes 0 ·
SaiKumarMunduri-3690 avatar image
0 Votes"
SaiKumarMunduri-3690 answered SaiKumarMunduri-3690 edited

I believe adding a group assignments through PIM is still an unmatured way as azure is still working on it. You can give a try. as last week I have assigned roles through PIM in my current environment and all of a sudden all the permissions got vanished. I am figuring out this situation with Microsoft team. Or else we can create custom role and give a try

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.