Approve activation requests for group members and owners (preview)

With Privileged Identity Management (PIM) in Azure Active Directory (Azure AD), part of Microsoft Entra, you can configure activation of group membership and ownership to require approval, and choose users or groups from your Azure AD organization as delegated approvers. We recommend selecting two or more approvers for each group. Delegated approvers have 24 hours to approve requests. If a request is not approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window is not configurable.

Follow the steps in this article to approve or deny requests for group membership or ownership.

View pending requests

As a delegated approver, you'll receive an email notification when an Azure resource role request is pending your approval. You can view pending requests in Privileged Identity Management.

  1. Sign in to Azure AD portal.

  2. Select Azure AD Privileged Identity Management -> Approve requests -> Groups (Preview).

  3. In the Requests for role activations section, you'll see a list of requests pending your approval.

    Screenshot of requests for role activations.

Approve requests

  1. Find and select the request that you want to approve and select Approve.

  2. In the Justification box, enter the business justification.

  3. Select Confirm. An Azure notification is generated by your approval.

    Screenshot of an Azure notification that is generated by your approval.

Deny requests

  1. Find and select the request that you want to deny and select Deny.

  2. In the Justification box, enter the business justification.

  3. Select Confirm. An Azure notification is generated by the denial.

Workflow notifications

Here's some information about workflow notifications:

  • Approvers are notified by email when a request for a group assignment is pending their review. Email notifications include a direct link to the request, where the approver can approve or deny.
  • Requests are resolved by the first approver who approves or denies.
  • When an approver responds to the request, all approvers are notified of the action.

Note

An administrator who believes that an approved user should not be active can remove the active group assignment in Privileged Identity Management. Although resource administrators are not notified of pending requests unless they are an approver, they can view and cancel pending requests for all users by viewing pending requests in Privileged Identity Management.

Troubleshoot

Permissions are not granted after activating a role

When you activate a role in Privileged Identity Management, the activation may not instantly propagate to all portals that require the privileged role. Sometimes, even if the change is propagated, web caching in a portal may result in the change not taking effect immediately. If your activation is delayed, here is what you should do.

  1. Sign out of the Azure portal and then sign back in.
  2. In Privileged Identity Management, verify that you are listed as the member of the role.

Next steps