Assign eligibility for a group (preview) in Privileged Identity Management

In Azure Active Directory (Azure AD), part of Microsoft Entra, you can use Privileged Identity Management (PIM) to manage just-in-time membership in the group or just-in-time ownership of the group.

When a membership or ownership is assigned, the assignment:

  • Can't be assigned for a duration of less than five minutes
  • Can't be removed within five minutes of it being assigned

Note

Every user who is eligible for membership in or ownership of a privileged access group must have an Azure AD Premium P2 license. For more information, see License requirements to use Privileged Identity Management.

Assign an owner or member of a group

Follow these steps to make a user eligible member or owner of a group. You will need to have Global Administrator, Privileged Role Administrator role, or be an Owner of the group.

  1. Sign in to Azure AD.

  2. Select Azure AD Privileged Identity Management -> Groups (Preview) and view groups that are already enabled for PIM for Groups.

    Screenshot of where to view groups that are already enabled for PIM for Groups.

  3. Select the group you need to manage.

  4. Select Assignments.

  5. Use Eligible assignments and Active assignments blades to review existing membership or ownership assignments for selected group.

    Screenshot of where to review existing membership or ownership assignments for selected group.

  6. Select Add assignments.

  7. Under Select role, choose between Member and Owner to assign membership or ownership.

  8. Select the members or owners you want to make eligible for the group.

    Screenshot of where to select the members or owners you want to make eligible for the group.

  9. Select Next.

  10. In the Assignment type list, select Eligible or Active. Privileged Identity Management provides two distinct assignment types:

    • Eligible assignment requires member or owner to perform an activation to use the role. Activations may also require providing a multi-factor authentication (MFA), providing a business justification, or requesting approval from designated approvers.

    Important

    For groups used for elevating into Azure AD roles, Microsoft recommends that you require an approval process for eligible member assignments. Assignments that can be activated without approval can leave you vulnerable to a security risk from another administrator with permission to reset an eligible user's passwords.

    • Active assignments don't require the member to perform any activations to use the role. Members or owners assigned as active have the privileges assigned to the role at all times.
  11. If the assignment should be permanent (permanently eligible or permanently assigned), select the Permanently checkbox. Depending on the group's settings, the check box might not appear or might not be editable. For more information, check out the Configure privileged access group settings (preview) in Privileged Identity Management article.

    Screenshot of where to configure the setting for add assignments.

  12. Select Assign.

Update or remove an existing role assignment

Follow these steps to update or remove an existing role assignment. You will need to have Global Administrator, Privileged Role Administrator role, or Owner role of the group.

  1. Sign in to Azure AD with appropriate role permissions.

  2. Select Azure AD Privileged Identity Management -> Groups (Preview) and view groups that are already enabled for PIM for Groups.

    Screenshot of where to view groups that are already enabled for PIM for Groups.

  3. Select the group you need to manage.

  4. Select Assignments.

  5. Use Eligible assignments and Active assignments blades to review existing membership or ownership assignments for selected group.

    Screenshot of where to review existing membership or ownership assignments for selected group.

  6. Select Update or Remove to update or remove the membership or ownership assignment.

Next steps