Bring privileged access groups (preview) into Privileged Identity Management

In Azure Active Directory (Azure AD), part of Microsoft Entra, you can assign Azure AD built-in roles to cloud groups to simplify how you manage role assignments. To protect Azure AD roles and to secure access, you can now use Privileged Identity Management (PIM) to manage just-in-time access for members or owners of these groups. To manage an Azure AD role-assignable group as a privileged access group in Privileged Identity Management, you must bring it under management in PIM.

Identify groups to manage

You can create a role-assignable group in Azure AD as described in Create a role-assignable group in Azure Active Directory. You must be in the group Owner role, Global Administrator role, or Privileged Role Administrator role to bring the group under management with Privileged Identity Management.

  1. Sign in to Azure AD with appropriate role permissions.

  2. Select Groups and then select the role-assignable group you want to manage in PIM. You can search and filter the list.

    find a role-assignable group to manage in PIM

  3. Open the group and select Privileged access (Preview).

    Open the Privileged Identity Management experience

  4. Start managing assignments in PIM.

    Manage assignments in Privileged Identity Management


Once a privileged access group is managed, it can't be taken out of management. This prevents another resource administrator from removing Privileged Identity Management settings.


If a privileged access group is deleted from Azure Active Directory, it may take up to 24 hours for the group to be removed from the Privileged access groups (Preview) blade.

Next steps