Редагувати

Поділитися через


Approve activation requests for group members and owners

With Privileged Identity Management (PIM) and Microsoft Entra ID, you can configure activation of group membership and ownership to require approval. You can also choose users or groups from your Microsoft Entra organization as delegated approvers.

We recommend that you select two or more approvers for each group. Delegated approvers have 24 hours to approve requests. If a request isn't approved within 24 hours, the eligible user must resubmit a new request. The 24-hour approval time window isn't configurable.

Follow the steps in this article to approve or deny requests for group membership or ownership.

View pending requests

Tip

Steps in this article might vary slightly based on the portal you start from.

As a delegated approver, you receive an email notification when an Azure resource role request is pending your approval. You can view pending requests in Privileged Identity Management.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity governance > Privileged Identity Management > Approve requests > Groups.

  3. In the Requests for role activations section, you see a list of requests pending your approval.

    Screenshot that shows requests for role activations.

Approve requests

  1. Find and select the request that you want to approve and select Approve.

  2. In the Justification box, enter the business justification.

  3. Select Confirm. Your approval generates an Azure notification.

    Screenshot that shows what an Azure notification generated by your approval looks like.

Deny requests

  1. Find and select the request that you want to deny and select Deny.

  2. In the Justification box, enter the business justification.

  3. Select Confirm. Your denial generates an Azure notification.

Workflow notifications

Here's some information about workflow notifications:

  • Approvers receive notifications by email when a request for a group assignment is pending their review. Email notifications include a direct link to the request, where the approver can approve or deny.
  • Requests are resolved by the first approver who approves or denies.
  • When an approver responds to the request, all approvers are notified of the action.

Note

An administrator who believes that an approved user shouldn't be active can remove the active group assignment in Privileged Identity Management. Resource administrators aren't notified of pending requests unless they're an approver. But they can view and cancel pending requests for all users by viewing pending requests in Privileged Identity Management.

Troubleshoot

Here's a troubleshooting tip.

Permissions aren't granted after you activate a role

When you activate a role in Privileged Identity Management, the activation might not instantly propagate to all portals that require the privileged role. Sometimes, even if the change is propagated, web caching in a portal might result in the change not taking effect immediately.

If your activation is delayed:

  1. Sign out of the Microsoft Entra admin center and then sign back in.
  2. In Privileged Identity Management, verify that you're listed as the member of the role.

Next steps

Configure PIM for Groups settings