Bring groups into Privileged Identity Management (preview)

In Azure Active Directory (Azure AD), part of Microsoft Entra, you can use Privileged Identity Management (PIM) to manage just-in-time membership in the group or just-in-time ownership of the group. Groups can be used to provide access to Azure AD Roles, Azure roles, and various other scenarios. To manage an Azure AD group in PIM, you must bring it under management in PIM.

Identify groups to manage

Before you will start, you need an Azure AD Security group or Microsoft 365 group. To learn more about group management in Azure AD, see Manage Azure Active Directory groups and group membership.

Dynamic groups and groups synchronized from on-premises environment cannot be managed in PIM for Groups.

You should either be a group Owner, have Global Administrator role, or Privileged Role Administrator role to bring the group under management with PIM.

  1. Sign in to Azure AD.

  2. Select Azure AD Privileged Identity Management -> Groups (Preview) and view groups that are already enabled for PIM for Groups.

    Screenshot of where to view groups that are already enabled for PIM for Groups.

  3. Select Discover groups and select a group that you want to bring under management with PIM.

    Screenshot of where to select a group that you want to bring under management with PIM.

  4. Select Manage groups and OK.

  5. Select Groups (Preview) to return to the list of groups enabled in PIM for Groups.

Note

Alternatively, you can use the Groups blade to bring group under Privileged Identity Management.

Note

Once a group is managed, it can't be taken out of management. This prevents another resource administrator from removing PIM settings.

Important

If a group is deleted from Azure AD, it may take up to 24 hours for the group to be removed from the PIM for Groups blades.

Next steps