Use Azure PIM for Group Membership

WME Blogpost Use Azure PIM for Group Membership

A new feature within Azure AD Privileged Identity Management (PIM) allows you to use PIM to control group membership. Like standard PIM- where administrators are given “eligible” assignments to roles rather than active assignments, Azure PIM for groups makes users eligible for group membership, rather than always a member of the group. Users would use PIM to activate their membership in the group.

NOTE: As of this writing, this feature is still in Preview.

Preview features are fully supported by Microsoft but may still have a few bugs or lack a few features that will be taken care of by GA release.

Azure PIM: Use Case #1

A good use case for this new Azure feature is to create bundles of RBAC roles to allow your admins to activate membership of a single group and activate several AAD RBAC roles.

Example #1:

An example of this may be any role plus the Service Support Administrator. This would make it so that your admins do not have to activate multiple roles every day.

Example #2:

Another example may be a bundle of all the Microsoft 365 platform roles like

  • Exchange Administrator,
  • Office Apps Administrator,
  • SharePoint Administrator,
  • Teams Administrator

into one activation.

Azure PIM Use Case #2

Another use case for this is sub-RBAC roles within services that are still assigned directly to users and do not have PIM roles.


An example of this is the sub-roles in Exchange or Microsoft Purview. Some of these are high impact and should only be active when needed, such as the ability to search and purge email in Exchange.

Azure PIM for Groups: Use Case #3

Finally, PIM for groups can be used to control owners and members. So, another use case for this is have a user always as a member of a group, but if they need to do perform an owner task, they must active the owner role. This allows for a separation of roles.

1.  Global Admins Role

Do not use this feature for the assignment of Global Administrator in Azure AD. The Global Administrator role should only be directly assigned to administrators (NEVER use a group) and should always use standard Azure AD PIM.

2.  Create PIM-Enabled Group

PIM can be enabled on any cloud-based Azure AD security group. It cannot be enabled directly on a synced group, but there is a workaround we’ll talk about later. From the group’s page in AAD, select Privileged Identity Management from the left-pane.

PIM Group 1
  • Click the button Enable Azure AD PIM for this group.
  • From here, this should look like a standard PIM assignment screen. You can add Active or Eligible assignments by clicking Add Assignments. Users or other groups can be added as eligible or active.

Note: Each group has its own set of PIM Settings. Set these on each group by clicking Settings. There are also different settings for Owner and Member.

Azure PIM - Role Setting Details - Member

3. Synced Group

Normally, synced groups cannot be used in PIM assignments because synced groups cannot have security roles assigned to them in AAD.

This new feature provides a workaround for this by allowing a synced group to be added as an eligible assignment.

In the previous screenshot, PIM Group 1 is a cloud group. When I click Add Assignments to create a new PIM assignment and click Select Members to add an object to the group, all groups are available.

In my tenant, the group Lic_M365_A5 is a group I sync from on-prem that I use for licensing.

Azure PIM - Lic_M365_A5

When I go to add an eligible assignment to PIM Group 1, this group is an option to add.

Synced Groups in RBAC Assignments

This allows you to now use synced groups in RBAC assignments.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.