Bring groups into Privileged Identity Management (preview)

In Azure Active Directory (Azure AD), part of Microsoft Entra, you can use Privileged Identity Management (PIM) to manage just-in-time membership in the group or just-in-time ownership of the group. Groups can be used to provide access to Azure AD Roles, Azure roles, and various other scenarios. To manage an Azure AD group in PIM, you must bring it under management in PIM.

Identify groups to manage

Before you will start, you need an Azure AD Security group or Microsoft 365 group. To learn more about group management in Azure AD, see Manage Azure Active Directory groups and group membership.

Dynamic groups and groups synchronized from on-premises environment cannot be managed in PIM for Groups.

You need appropriate permissions to bring groups in Azure AD PIM. For role-assignable groups, you need to have Global Administrator, Privileged Role Administrator role, or be an Owner of the group. For non-role-assignable groups, you need to have Global Administrator, Directory Writer, Groups Administrator, Identity Governance Administrator, User Administrator role, or be an Owner of the group. Role assignments for administrators should be scoped at directory level (not administrative unit level).

Note

Other roles with permissions to manage groups (such as Exchange Administrators for non-role-assignable M365 groups) and administrators with assignments scoped at administrative unit level can manage groups through Groups API/UX and override changes made in Azure AD PIM.

1. Sign in to the Azure portal.

2. Select Azure AD Privileged Identity Management -> Groups (Preview) and view groups that are already enabled for PIM for Groups.

   

3. Select Discover groups and select a group that you want to bring under management with PIM.

   

4. Select Manage groups and OK.

5. Select Groups (Preview) to return to the list of groups enabled in PIM for Groups.

Note

Alternatively, you can use the Groups blade to bring group under Privileged Identity Management.

Note

Once a group is managed, it can't be taken out of management. This prevents another resource administrator from removing PIM settings.

Important

If a group is deleted from Azure AD, it may take up to 24 hours for the group to be removed from the PIM for Groups blades.

Next steps

• Assign eligibility for a group (preview) in Privileged Identity Management
• Activate your group membership or ownership in Privileged Identity Management
• Approve activation requests for group members and owners (preview)