Configure PIM for Groups settings (preview)
In Privileged Identity Management (PIM) for groups in Azure Active Directory (Azure AD), part of Microsoft Entra, role settings define membership or ownership assignment properties: MFA and approval requirements for activation, assignment maximum duration, notification settings, etc. Use the following steps to configure role settings and setup the approval workflow to specify who can approve or deny requests to elevate privilege.
You need to have Global Administrator, Privileged Role Administrator, or group Owner permissions to manage settings for membership or ownership assignments of the group. Role settings are defined per role per group: all assignments for the same role (member or owner) for the same group follow same role settings. Role settings of one group are independent from role settings of another group. Role settings for one role (member) are independent from role settings for another role (owner).
Update role settings
Follow these steps to open the settings for a group role.
Select Azure AD Privileged Identity Management -> Groups (Preview).
Select the group that you want to configure role settings for.
Select Settings.
Select the role you need to configure role settings for – Member or Owner.
Review current role settings.
Select Edit to update role settings.
Once finished, select Update.
Role settings
Activation maximum duration
Use the Activation maximum duration slider to set the maximum time, in hours, that an activation request for a role assignment remains active before it expires. This value can be from one to 24 hours.
On activation, require multi-factor authentication
You can require users who are eligible for a role to prove who they are using Azure AD Multi-Factor Authentication before they can activate. Multi-factor authentication ensures that the user is who they say they are with reasonable certainty. Enforcing this option protects critical resources in situations when the user account might have been compromised.
User may not be prompted for multi-factor authentication if they authenticated with strong credential or provided multi-factor authentication earlier in this session.
For more information, see Multifactor authentication and Privileged Identity Management.
On activation, require Azure AD Conditional Access authentication context (Public Preview)
You can require users who are eligible for a role to satisfy Conditional Access policy requirements: use specific authentication method enforced through Authentication Strengths, elevate the role from Intune compliant device, comply with Terms of Use, and more.
To enforce this requirement, you need to:
- Create Conditional Access authentication context.
- Configure Conditional Access policy that would enforce requirements for this authentication context.
- Configure authentication context in PIM settings for the role.
To learn more about Conditional Access authentication context, see Conditional Access: Cloud apps, actions, and authentication context.
Require justification on activation
You can require that users enter a business justification when they activate the eligible assignment.
Require ticket information on activation
You can require that users enter a support ticket when they activate the eligible assignment. This is information only field and correlation with information in any ticketing system is not enforced.
Require approval to activate
You can require approval for activation of eligible assignment. Approver doesn’t have to be group member or owner. When using this option, you have to select at least one approver (we recommend to select at least two approvers), there are no default approvers.
To learn more about approvals, see Approve activation requests for PIM for Groups members and owners (preview).
Assignment duration
You can choose from two assignment duration options for each assignment type (eligible and active) when you configure settings for a role. These options become the default maximum duration when a user is assigned to the role in Privileged Identity Management.
You can choose one of these eligible assignment duration options:
| Description | |
|---|---|
| Allow permanent eligible assignment | Resource administrators can assign permanent eligible assignment. |
| Expire eligible assignment after | Resource administrators can require that all eligible assignments have a specified start and end date. |
And, you can choose one of these active assignment duration options:
| Description | |
|---|---|
| Allow permanent active assignment | Resource administrators can assign permanent active assignment. |
| Expire active assignment after | Resource administrators can require that all active assignments have a specified start and end date. |
Note
All assignments that have a specified end date can be renewed by resource administrators. Also, users can initiate self-service requests to extend or renew role assignments.
Require multi-factor authentication on active assignment
You can require that administrator or group owner provides multi-factor authentication when they create an active (as opposed to eligible) assignment. Privileged Identity Management can't enforce multi-factor authentication when the user uses their role assignment because they are already active in the role from the time that it is assigned.
Administrator or group owner may not be prompted for multi-factor authentication if they authenticated with strong credential or provided multi-factor authentication earlier in this session.
Require justification on active assignment
You can require that users enter a business justification when they create an active (as opposed to eligible) assignment.
In the Notifications tab on the role settings page, Privileged Identity Management enables granular control over who receives notifications and which notifications they receive.
- Turning off an email
You can turn off specific emails by clearing the default recipient check box and deleting any other recipients. - Limit emails to specified email addresses
You can turn off emails sent to default recipients by clearing the default recipient check box. You can then add other email addresses as recipients. If you want to add more than one email address, separate them using a semicolon (;). - Send emails to both default recipients and more recipients
You can send emails to both default recipient and another recipient by selecting the default recipient checkbox and adding email addresses for other recipients. - Critical emails only
For each type of email, you can select the check box to receive critical emails only. What this means is that Privileged Identity Management will continue to send emails to the specified recipients only when the email requires an immediate action. For example, emails asking users to extend their role assignment will not be triggered while an email requiring admins to approve an extension request will be triggered.
Next steps
Feedback
Submit and view feedback for