To utilize Azure Privileged Identity Management (PIM) with a group, you don't create a special "PIM group" directly. Instead, you first create a standard Azure Active Directory (Azure AD) security group (or a Microsoft 365 group with assigned roles enabled) and then enable PIM management for that existing group. This allows you to manage group membership using PIM's just-in-time access features.
Here's a breakdown of the process:
Step 1: Create a Standard Security Group
Before you can enable PIM for a group, the group must exist in Azure AD.
- Navigate to the Azure Portal: Go to https://portal.azure.com/.
- Go to Azure Active Directory: Select "Azure Active Directory" from the main menu or search for it.
- Manage Groups: Under "Manage," select "Groups."
- Create New Group: Click on "+ New group."
- Configure the Group:
- Group type: Choose "Security."
- Group name: Provide a meaningful name (e.g.,
SG-AzureAdDirectoryReaders-PIM). - Group description: Add a description explaining its purpose.
- Azure AD roles can be assigned to the group: Set this to "Yes" if you plan to assign Azure AD roles to members of this group via PIM. This is often the primary reason for using PIM with groups.
- Membership type: Choose the desired type (e.g., "Assigned").
- Create: Click the "Create" button.
Once the group is created, you can proceed to enable PIM for it.
Step 2: Enable PIM for the Existing Group
After creating your security group, you enable PIM functionality specifically for managing its membership. This is where the reference information comes in.
As the reference states:
Navigate to Azure AD Privileged Identity Management and select Groups. Select Discover groups to proceed. In the new page, search for the desired security group and select it from the list. Then, select Manage Groups.
Let's detail these steps:
-
Access Azure AD Privileged Identity Management (PIM):
- In the Azure portal, search for and select "Azure AD Privileged Identity Management."
- Select "Groups" under the "Manage" section on the left-hand menu.
-
Discover Groups:
- In the PIM for Azure AD Groups overview, select "Discover groups". This pane shows groups eligible to be brought under PIM management.
-
Search and Select Your Group:
- Use the search bar on the "Discovery" page to find the security group you created in Step 1.
- Select the group from the search results list.
-
Select "Manage Groups":
- After selecting the group, a pane opens providing details.
- Click the "Manage group" button (or similar wording depending on the UI version) within this pane. This action brings the group under PIM management.
Configuring PIM Settings for the Group
Once the group is under PIM management, you can configure settings like:
- Eligibility: Define who can be eligible to be a member of this group.
- Assignment Settings: Configure requirements for activating membership (e.g., multi-factor authentication, justification, approval workflow, duration).
- Assignments: Assign users as eligible or active members.
These configurations govern how users gain just-in-time membership in the group, which in turn grants them permissions assigned to that group.
Summary Table
| Action | Location/Service | Details |
|---|---|---|
| Create Group | Azure Active Directory > Groups | Create a Security group (with "Azure AD roles can be assigned" enabled if needed). |
| Enable PIM for Group | Azure AD Privileged Identity Management > Groups > Discover groups | Search for and select the group, then choose Manage group. |
By following these steps, you effectively set up a security group to have its membership managed through Azure AD PIM, enabling just-in-time access capabilities.
