Managing "Just in Time" Microsoft Admin Roles via Privileged Identity Management (PIM)

Staff who are eligible owners of PIM groups in their area can activate the owner role and manage eligible assignments in that group. This guide details how to grant new employees the ability to activate privileged roles or how to extend existing eligible assignments.

Navigate to or bookmark https://aad.portal.azure.com/#view/Microsoft_Azure_PIMCommon/CommonMenuBlade/~/aadgroup to quickly access & elevate to the owner role of a PIM group. Step by step instructions are below.

Roles can be activated for up to 8 hours at a time.

  1. Navigate to https://entra.microsoft.com and login with your NetIDAdmin account

  2. Expand the Identity Governance section and click on Privileged Identity Management (PIM)

    1. Optionally pin PIM as a favorite by clicking the star icon to the right of its entry.

      left-hand navigation in Microsoft Entra ID highlighting the Privileged Identity Management option in the Identity Governance section
  3. Click on Groups under the Manage section on the left-hand side

    image-20241216-172301.png
  4. Click on the PIM group you manage for your area, select My Roles in the Tasks section, then Activate your owner role within the Eligible assignments section

  5. Specify a duration, provide a short justification, and click Activate. Once activated, you can manage the group to add/remove other eligible assignments or extend existing assignments using the steps below.

Adding Additional Assignments

  1. To grant another user the ability to activate the admin roles associated with your PIM group, navigate to PIM Groups and click on the respective group

  2. Navigate to Assignments in the Manage section, click the Eligible assignments tab and click Add assignments

    1. The Manage section below make be greyed out and take several seconds to load

  3. Select Member as the role, choose the user(s) to grant this assignment and click next

  4. Ensure the assignment type is Eligible and specify a duration (max 1 year)

  5. The selected user(s) will now be eligible members and can activate their admin roles by following Activating "Just in Time" Microsoft Admin Roles via Privileged Identity Management (PIM)

Extending Existing Eligible Assignments

  1. Navigate to PIM Groups and click on the respective group

  2. Click on Assignments within the Manage section, click the Eligible assignments tab, and click Update on the expiring assignment you’d like to extend

  3. Specify the new assignment end date and click Save

Related Pages