Azure Privileged Identity Management

Azure Privileged Identity Management (PIM) provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about with the following license required

  • Azure AD Premium P2
  • Enterprise Mobility + Security (EMS) E5
  • Microsoft 365 Education A5
  • Microsoft 365 Enterprise E5

Activate Azure Privileged Identity Management

Privileged Identity Management is activated automatically when a user who is active in a privileged role in an Azure AD organization with a Premium P2 license goes to Roles and administrators in Azure AD and selects a role (or even just visits Privileged Identity Management)

Discovery and insights (preview)

This feature shows you who is assigned to privileged roles in your organization and how to use PIM to quickly change permanent role assignments into just-in-time assignments.

List who has privileged roles in your organization and remove those who no longer need the roles by clicking on Reduce Global Administrators & Eliminate Standing Access

Azure Privileged Identity Management

Refer to Discovery and Insights (preview) for Azure AD roles (formerly Security Wizard) for more detail

Access Review

To reduce the risk associated with stale role assignments, you should regularly review access. You can use Azure AD Privileged Identity Management (PIM) to create access reviews for privileged Azure AD roles

Click New to create a new Access Review

To review who is assigned with Global Administrator role with Access Review created to be executed on every month

Select the Reviewers

Email will be delivered to the Reviewers. Click on Start Review to login to Azure PIM

Review the Recommended Action to decide whether approve or deny the users to holding the role

Refer to Create an access review of Azure AD roles in Privileged Identity Management for more detail


Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in your Azure Active Directory (Azure AD) organization. When an alert is triggered, it shows up on the Privileged Identity Management dashboard. Select the alert to see a report that lists the users or roles that triggered the alert and resolve it

Fix the alert by following the recommendation action provided

Refer to Configure security alerts for Azure AD roles in Privileged Identity Management for more detail

Assign Azure AD roles

Install AzureAD Preview Module

Note that you cannot install both the preview version and the GA version on the same computer at the same time.

Install-module AzureADPreview

Connect to AzureAD

#Connect to AzureAD
Import-Module AzureADPreview

$Password =  "xxxxxxxxxxxxxxxxxxxxx" | ConvertTo-SecureString -AsPlainText -Force
$UserName = "[email protected]" 
$credential = New-Object System.Management.Automation.PsCredential($UserName,$Password)

Connect-AzureAD -Credential $Credential

List All AzureAD Role Defination Name with ID

$TenantID = (Get-AzureADTenantDetail).objectID
Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $TenantID | Select DisplayName | Sort-Object DisplayName

User Account Administrator                    fe930be7-5e62-47db-91af-98c3a49a38b1

Assign User Account Administrator Role to a user called [email protected]

  • -Type ‘adminAdd’ – Eligible¬†assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.

  • -Type ‘UserAdd’ – Active¬†assignments don’t require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.

#Define Schedule 
$schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule
$schedule.Type = "Once"
$schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
#Valid for 2 Days
#If the value of endDateTime is set to null, it indicates a permanent assignment.
$schedule.endDateTime = ($schedule.StartDateTime).AddDays(2)

#Define Username
$UserName = "[email protected]"
$User_ObjectID = (Get-AzureADUser -ObjectId $UserName).objectId
#Define Role ID
$RoleName = "User Account Administrator"
$RoleID = Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $TenantID | ? DisplayName -eq $RoleName

#Assign Role to User
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -ResourceId $TenantID -RoleDefinitionId $RoleID.Id `
-SubjectId $User_ObjectID -Type 'adminAdd' -AssignmentState 'Eligible' -schedule $schedule -reason "Assign Role with PowerShell"

List Role Assignment for particular Role or User

#List Role Assignment for Particular Role Name
$RoleName = "User Account Administrator"
$RoleID = Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $TenantID | ? DisplayName -eq $RoleName
Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId $TenantID | ? RoleDefinitionId -eq $RoleID.ID

#List Role Assignment for Particular User 
$UserName = "[email protected]"
$User_ObjectID = (Get-AzureADUser -ObjectId $UserName).objectId
$SubjectID = "subjectId eq '$User_ObjectID'"
Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId $TenantID -Filter $SubjectID

User will need to Activate the role assigned when he receives the following email

Click Activate and provide the credential to login when prompted

User should be able to manage user in M365 Admin Center now

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top