Random Musings

Sporadic thoughts on tech, economics, business, finance and trading

Assign a Privileged Identity Management (PIM) role to a user in Azure

,

To assign a Privileged Identity Management (PIM) role to a user in Azure, follow these steps:

1. Prerequisites

  • Ensure you have the Privileged Role Administrator or Global Administrator role assigned to your account to manage PIM roles.
  • The user you are assigning the role to must exist in Azure AD.

2. Access PIM

  1. Sign in to the Azure portalhttps://portal.azure.com.
  2. Navigate to Azure Active Directory > Privileged Identity Management.

3. Select the Role Type

  • Choose the scope of the role you want to assign:
    • Azure AD Roles: For roles like Global Administrator, User Administrator, or Security Administrator.
    • Azure Resource Roles: For roles like Owner, Contributor, or Reader tied to specific subscriptions or resources.

4. Assign a Role

For Azure AD Roles:

  1. In PIM, click on Azure AD Roles.
  2. Select Roles from the left-hand menu.
  3. Search for and select the role you want to assign (e.g., Global Administrator, User Administrator).
  4. Click Add assignments.

For Azure Resource Roles:

  1. In PIM, click on Azure Resources.
  2. Select the subscription or resource where the role assignment is needed.
  3. Click Manage resource roles.
  4. Search for the role you want to assign (e.g., Contributor, Reader) and select it.

5. Configure Role Assignment

  1. Select the User:
    • Under Select member(s), search for and select the user to whom you want to assign the role.
  2. Choose Assignment Type:
    • Eligible: The user can activate the role when needed. Ideal for just-in-time (JIT) access.
    • Active: The user has immediate access to the role without activation. Use this sparingly for security reasons.
  3. Set Assignment Period:
    • Define the start and end dates for the assignment if it’s temporary. Leave it open-ended for indefinite access.
  4. Click Assign.

6. Confirm the Assignment

  1. Go to the Assignments section under PIM for the respective scope (Azure AD Roles or Azure Resources).
  2. Verify the role is assigned to the user, and its status is as intended (Eligible or Active).

7. (Optional) Notify the User

  • If the assignment is Eligible, let the user know they will need to activate the role through PIM whenever they need access.

Tips:

  • Use eligible assignments wherever possible to adhere to the principle of least privilege.
  • If required, configure approval workflows and MFA for role activation to enhance security.