Exercise assign Azure resource roles in Privileged Identity Management

  • 8 minutes

Assign Azure resource roles

Microsoft Entra Privileged Identity Management (PIM) can manage the built-in Azure resource roles, as well as custom roles, including (but not limited to):

  • Owner
  • User Access Administrator
  • Contributor
  • Security Admin
  • Security Manager

Follow these steps to make a user eligible for an Azure resource role.

  1. Sign in to the Microsoft Entra admin center as a tenant administrator.

  2. Search for and then select Microsoft Entra Privileged Identity Management.

  3. In the Privileged Identity Management menu, in the left navigation, select Azure resources.

  4. On the top menu, select Discover resources.

  5. In the Azure resources – Discovery screen, select your subscription and then, on the top menu, select Manage resource.

    Screenshot of the Azure resources discovery screen with the subscription and manage resource highlighted.

  6. In the Onboarding selected resource for management dialog box, review the information and then select OK.

  7. When onboarding completes, close the Azure resources – Discovery screen.

  8. In the Azure resources screen, select the resource you just added.

    Screenshot displaying the recently added Azure resource.

  9. In the left navigation menu, under Manage, select Roles to see the list of roles for Azure resources.

  10. On the top menu, select + Add assignments.

  11. In the Add assignments dialog, select the Select role menu and then select API Management Service Contributor.

  12. Under Select member(s), select No member selected.

  13. In the Select a member or group pane, select an account from your organization that will be assigned the role.

  14. Select Next.

  15. On the Settings tab, under Assignment type, select Eligible.

    • Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multifactor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
    • Active assignments do not require the member to perform any action to use the role. Members assigned as active have the privileges always assigned to the role.

  16. Specify an assignment duration by changing the start and end dates and times.

  17. When finished, select Assign.

  18. After the new role assignment is created, a status notification is displayed.

Update or remove an existing resource role assignment

Follow these steps to update or remove an existing role assignment.

  1. Open Microsoft Entra Privileged Identity Management.
  2. Select Azure resources.
  3. Select the resource you want to manage to open its overview page.
  4. Under Manage, select Assignments.
  5. On the Eligible roles tab, in the Action column, review the available options.
  6. Select Remove.
  7. In the Remove dialog box, review the information and then select Yes.