askvity

How do I add users to Azure AD PIM?

Published in Azure AD PIM User Management 3 mins read

Adding users in the context of Azure AD Privileged Identity Management (PIM) typically involves making them eligible for privileged roles, allowing them to activate these roles just-in-time. Another context is giving users permission to manage PIM settings and assignments for others.

Here's how to handle both scenarios:

Making Users Eligible for Privileged Roles via PIM

The most common way to "add users to Azure AD PIM" is by assigning them roles through the PIM service, making them eligible to activate those roles when needed. This is a core function of PIM for minimizing standing access.

To assign a user or group to an eligible role in PIM:

  1. Sign in to the Azure portal.
  2. Go to Azure Active Directory > Privileged Identity Management.
  3. On the left menu, under Manage, select Azure AD roles.
  4. Select Add assignments.
  5. Choose the Role you want to assign (e.g., Global Administrator, User Administrator).
  6. Select No member selected and search for the user or group you want to add. Select them from the list.
  7. Under Assignment type, choose Eligible.
  8. Optionally, configure assignment settings like eligibility duration.
  9. Select Assign.

The user is now listed under the "Eligible assignments" for that role within PIM. They can activate the role when necessary.

Giving Users Permission to Manage Azure AD PIM

To give another user the ability to manage PIM itself (e.g., add eligible assignments for other users, manage PIM settings), you need to assign them a PIM-specific administrative role. The provided reference details how to assign the Privileged Role Administrator role.

Based on the reference:

  • Sign in to the Azure portal.
  • Select the Azure AD Privileged Identity Management app on the dashboard (or search for it).
  • Select Manage privileged roles.
  • Select Privileged role administrator.
  • Select Add.

Complete the process by searching for and selecting the user you want to make a Privileged Role Administrator and confirm the assignment.

Users with roles like Privileged Role Administrator or Security Administrator have permissions to manage role assignments within Azure AD PIM for various Azure AD roles. The Privileged Role Administrator is specifically designed to manage PIM assignments and policies.

Key Roles for PIM Management:

  • Privileged Role Administrator: Can manage Azure AD role assignments in PIM, manage PIM policies, and assign other administrators to PIM.
  • Security Administrator: Has permissions to manage security-related aspects, including viewing and managing Azure AD role assignments in PIM.

By following these steps, you can add users both to be managed by PIM (eligible for roles) and users who can manage PIM itself.

Related Articles