Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why do you need PIM Role Admin role when signing into Entra? #698

Open
timkatsapas opened this issue Apr 23, 2024 · 4 comments
Open

Why do you need PIM Role Admin role when signing into Entra? #698

timkatsapas opened this issue Apr 23, 2024 · 4 comments
Assignees
@barclayn
Labels
assigned-to-author Issue assigned to author entra-id-governance/svc Pri1 privileged-identity-management/subsvc product-question triaged

Comments

@timkatsapas
Copy link

On step 1 when signing into Entra ID it states you need to 'Sign in to the "Microsoft Entra admin center as at least a Privileged role administrator.'

This doesnt make sense since you need to apply for the role, you wont have that permission already.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
@TPavanBalaji
Copy link

@timkatsapas
Thanks for your feedback! We will investigate and update as appropriate.

@ManoharLakkoju-MSFT
Copy link
Contributor

Hi @timkatsapas
You are correct that in order to sign in to the Microsoft Entra admin center as a Privileged Role Administrator, you need to have the PIM Role Admin role assigned to you. This role is required to activate PIM and manage privileged access to resources in your organization.

If you do not have the PIM Role Admin role assigned to you, you will need to request it from your organization's administrator. Once you have been granted the PIM Role Admin role, you can sign in to the Microsoft Entra admin center and activate PIM.

I hope this helps! Let me know if you have any other questions.

@timkatsapas
Copy link
Author

Good day,
Ok so just to be clear. In order to activate ANY role via PIM, you need to have Privileged Role Administrator assigned to you? That doesnt make any sense. If you want to 'manage' roles, then yes. But for any user Activating any role - then they dont need anything. Any user is able to open PIM and submit a request for whichever Role/Group/Azure Resource they need.
The fact you are saying a user must login with atleast a Privileged Role Admin doesnt seem correct as a first step to Activating a PIM.
The whole purpose of PIM is to allow users to be assigned or eligible on roles etc. So why would all users have Privileged Role Admin out the box?
If you are editing the Role Settings, then yes I agree 100%.

@ManoharLakkoju-MSFT
Copy link
Contributor

@timkatsapas
I'm going to assign this to the document author so they can take a look at it accordingly

@barclayn
Can you please check and add your comments on this doc update request as applicable.

@ManoharLakkoju-MSFT ManoharLakkoju-MSFT added assigned-to-author Issue assigned to author and removed cxp labels Apr 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@barclayn barclayn

Labels
assigned-to-author Issue assigned to author entra-id-governance/svc Pri1 privileged-identity-management/subsvc product-question triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@barclayn @timkatsapas @ManoharLakkoju-MSFT @TPavanBalaji