Skip to content

Latest commit

 

History

History
83 lines (49 loc) · 4.87 KB

groups-activate-roles.md

File metadata and controls

83 lines (49 loc) · 4.87 KB
Raw
title description author manager ms.service ms.topic ms.subservice ms.date ms.author ms.reviewer ms.custom
Activate your group membership or ownership in Privileged Identity Management
Learn how to activate your group membership or ownership in Privileged Identity Management (PIM).
barclayn
amycolannino
entra-id-governance
how-to
privileged-identity-management
09/12/2023
barclayn
ilyal
pim

Activate your group membership or ownership in Privileged Identity Management

You can use Privileged Identity Management (PIM) In Microsoft Entra ID to have just-in-time membership in the group or just-in-time ownership of the group.

This article is for eligible members or owners who want to activate their group membership or ownership in PIM.

Important

When a group membership or ownership is activated, Microsoft Entra PIM temporarily adds an active assignment. Microsoft Entra PIM creates an active assignment (adds user as member or owner of the group) within seconds. When deactivation (manual or through activation time expiration) happens, Microsoft Entra PIM removes user’s group membership or ownership within seconds as well.

Application may provide access to users based on their group membership. In some situations, application access may not immediately reflect the fact that user was added to the group or removed from it. If application previously cached the fact that user is not member of the group – when user tries to access application again, access may not be provided. Similarly, if application previously cached the fact that user is member of the group – when group membership is deactivated, user may still get access. Specific situation depends on the application’s architecture. For some applications, signing out and signing back in may help to get access added or removed.

Activate a role

When you need to take on a group membership or ownership, you can request activation by using the My roles navigation option in PIM.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged role administrator.

  2. Browse to Identity governance > Privileged Identity Management > My roles > Groups.

    [!NOTE] You may also use this short link to open the My roles page directly.

  3. Using Eligible assignments blade, review the list of groups that you have eligible membership or ownership for.

    :::image type="content" source="media/pim-for-groups/pim-group-6.png" alt-text="Screenshot of the list of groups that you have eligible membership or ownership for." lightbox="media/pim-for-groups/pim-group-6.png":::

  4. Select Activate for the eligible assignment you want to activate.

  5. Depending on the group’s setting, you may be asked to provide multi-factor authentication or another form of credential.

  6. If necessary, specify a custom activation start time. The membership or ownership is to be activated only after the selected time.

  7. Depending on the group’s setting, justification for activation may be required. If needed, provide the justification in the Reason box.

    :::image type="content" source="media/pim-for-groups/pim-group-7.png" alt-text="Screenshot of where to provide a justification in the Reason box." lightbox="media/pim-for-groups/pim-group-7.png":::

  8. Select Activate.

If the role requires approval to activate, an Azure notification appears in the upper right corner of your browser informing you the request is pending approval.

View the status of your requests

You can view the status of your pending requests to activate. It is important when your requests undergo approval of another person.

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity governance > Privileged Identity Management > My requests Groups.

  3. Review list of requests.

    :::image type="content" source="media/pim-for-groups/pim-group-8.png" alt-text="Screenshot of where to review the list of requests." lightbox="media/pim-for-groups/pim-group-8.png":::

Cancel a pending request

  1. Sign in to the Microsoft Entra admin center.

  2. Browse to Identity governance > Privileged Identity Management > My requests Groups.

    :::image type="content" source="media/pim-for-groups/pim-group-8.png" alt-text="Screenshot of where to select the request you want to cancel." lightbox="media/pim-for-groups/pim-group-8.png":::

  3. For the request that you want to cancel, select Cancel.

When you select Cancel, the request is canceled. To activate the role again, you have to submit a new request for activation.

Next steps