Use Azure PIM for Group Membership

WME Blogpost Use Azure PIM for Group Membership

A new feature within Azure AD Privileged Identity Management (PIM) allows you to use PIM to control group membership. Like standard PIM- where administrators are given “eligible” assignments to roles rather than active assignments, Azure PIM for groups makes users eligible for group membership, rather than always a member of the group. Users would use PIM to activate their membership in the group.

NOTE: As of this writing, this feature is still in Preview.

Preview features are fully supported by Microsoft but may still have a few bugs or lack a few features that will be taken care of by GA release.

Azure PIM: Use Case #1

A good use case for this new Azure feature is to create bundles of RBAC roles to allow your admins to activate membership of a single group and activate several AAD RBAC roles.

Example #1:

An example of this may be any role plus the Service Support Administrator. This would make it so that your admins do not have to activate multiple roles every day.

Example #2:

Another example may be a bundle of all the Microsoft 365 platform roles like

  • Exchange Administrator,
  • Office Apps Administrator,
  • SharePoint Administrator,
  • Teams Administrator

into one activation.

Azure PIM Use Case #2

Another use case for this is sub-RBAC roles within services that are still assigned directly to users and do not have PIM roles.


An example of this is the sub-roles in Exchange or Microsoft Purview. Some of these are high impact and should only be active when needed, such as the ability to search and purge email in Exchange.

Azure PIM for Groups: Use Case #3

Finally, PIM for groups can be used to control owners and members. So, another use case for this is have a user always as a member of a group, but if they need to do perform an owner task, they must active the owner role. This allows for a separation of roles.

1.  Global Admins Role

Do not use this feature for the assignment of Global Administrator in Azure AD. The Global Administrator role should only be directly assigned to administrators (NEVER use a group) and should always use standard Azure AD PIM.

2.  Create PIM-Enabled Group

PIM can be enabled on any cloud-based Azure AD security group. It cannot be enabled directly on a synced group, but there is a workaround we’ll talk about later. From the group’s page in AAD, select Privileged Identity Management from the left-pane.

PIM Group 1
  • Click the button Enable Azure AD PIM for this group.
  • From here, this should look like a standard PIM assignment screen. You can add Active or Eligible assignments by clicking Add Assignments. Users or other groups can be added as eligible or active.

Note: Each group has its own set of PIM Settings. Set these on each group by clicking Settings. There are also different settings for Owner and Member.

Azure PIM - Role Setting Details - Member

3. Synced Group

Normally, synced groups cannot be used in PIM assignments because synced groups cannot have security roles assigned to them in AAD.

This new feature provides a workaround for this by allowing a synced group to be added as an eligible assignment.

In the previous screenshot, PIM Group 1 is a cloud group. When I click Add Assignments to create a new PIM assignment and click Select Members to add an object to the group, all groups are available.

In my tenant, the group Lic_M365_A5 is a group I sync from on-prem that I use for licensing.

Azure PIM - Lic_M365_A5

When I go to add an eligible assignment to PIM Group 1, this group is an option to add.

Synced Groups in RBAC Assignments

This allows you to now use synced groups in RBAC assignments.



Contact Us

On Key

More Posts

WME Cybersecurity Briefings No. 014
Cyber Security

WME Security Briefing 14 June 2024

LightSpy Spyware’s macOS Variant Detected with Advanced Surveillance Capabilities Overview Findings reveal a previously undocumented macOS variant of the LightSpy spyware. It was initially thought to target only iOS users. This spyware utilizes a plugin-based system

Read More »
WME Cybersecurity Briefings No. 013
Cyber Security

WME Security Briefing 10 June 2024

CISA Urges Patching of Actively Exploited Linux Kernel Vulnerability Overview CISA just issued an urgent advisory concerning a newly discovered security flaw in the Linux kernel. The flaw is being actively exploited to affect the netfilter component of

Read More »
3 Things to Consider Before You Enable Copilot for Microsoft 365
Microsoft Copilot

3 Things to Consider Before You Enable Copilot for Microsoft 365

In today’s digital landscape, any productivity tool that streamlines workflow and boosts performance is a pleasant addition. With its AI-powered productivity-enhancing capabilities, Microsoft Copilot has emerged as a game-changer for employees, particularly for organizations using Microsoft

Read More »
WME Cybersecurity Briefings No. 012
Cyber Security

WME Security Briefing 03 June 2024

Moroccan Cybercrime Group Exploits Gift Card Systems for Major Financial Gains Overview: Storm-0539, also called Atlas Lion, is a Moroccan cybercrime group that executes advanced email and SMS phishing attacks. They are committing fraud by utilizing

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.