Azure AD Privileged Identity Management (PIM): Troubleshooting Elevated Permissions
With Azure Active Directory (AD) Privileged Identity Management, you can manage, control, and monitor access within your organization. See the getting started guide here: /en-us/azure/active-directory/active-directory-privileged-identity-management-getting-started
One of the important capabilities of Azure AD Privileged Identity Management is Just in Time access. Eligible users can elevate themselves into a role for a specific duration after which they are automatically removed from the role.
The users can now log into any application which requires these roles to perform the elevated tasks.
However, if an application is caching the role memberships, the users might not be able to use their permissions immediately on the specific application.
Verify that the user is elevated
To confirm that the user is elevated, you can check if the user shows up as a member of the role after elevation using
Azure AD PowerShell: /en-us/powershell/azuread/v2/get-azureaddirectoryrolemember
OR
Azure AD Graph API: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/directoryroles-operations#GetDirectoryRoleMembers
If the user shows up as the member of the role, Azure AD Privileged Identity Management has successfully elevated the user into the role.
Troubleshoot Role membership caching in an application
Sign out and Sign in back to the application
Most of the times, applications cache the membership on the sign in and will refresh it on subsequent sign-ins. So the easiest way to deal with this issue is to sign out and sign in back to the application. You can also try to sign in into an In Private browser window.
Understand the expected cache revocation duration in the application
Assign a user to a role without using Azure AD Privileged Identity Management. You can use
Azure AD PowerShell: https://docs.microsoft.com/en-us/powershell/azuread/v2/add-azureaddirectoryrolemember
OR
Azure AD Graph API: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/directoryroles-operations#AddDirectoryRoleMembers
Check how long it takes for the application to recognize the user is in that role. Suppose the user is recognized in the role by the application in X minutes, then you should expect that you can use the application after X minutes when you elevate through Azure AD Privileged Identity Management. It is also worth to check with the application owner if they can reduce the cache revocation duration.
Check an alternative application which doesn’t cache role memberships for long duration
Try to check if you can use an alternate application which doesn’t cache the role membership for long durations. For example, if you want to do directory related operations after elevation, you can do that using
Azure AD PowerShell: /en-us/powershell/azuread/v2/azureactivedirectory which skips any role membership caching a portal might have.
OR
Azure AD Graph API: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/api-catalog which skips any role membership caching a portal might have.
OR
Azure Portal: Go to Privileged Identity Management->Application Access and click Azure Active Directory. This link will remove any caching on the Azure portal and your activated role will be recognized immediately.
