Azure Active Directory (Azure AD) Privileged Identity Management (PIM) can manage the built-in Azure resource roles, as well as custom roles, including (but not limited to):
- User Access Administrator
- Security Admin
- Security Manager, and more
Assign a role
Sign in to Azure portal with a user that is a member of the Privileged Role Administrator role.
Open Azure AD Privileged Identity Management.
If you haven’t started PIM in the Azure portal yet, go to Enabling Azure AD Privileged Identity Management (PIM).
Click Azure resources.
Use the Resource filter to filter the list of managed resources.
Click the resource you want to manage, such as a subscription or management group.
Under Manage, click Roles to see the list of roles for Azure resources.
Click Add member to open the New assignment pane.
Click Select a role to open the Select a role pane, Click a role you want to assign and then click Select.
The Select a member or group pane opens.
Click a member or group you want to assign to the role and then click Select.
The Membership settings pane opens.
In the Assignment type list, select Active and click ok
PIM for Azure resources provides two distinct assignment types:
- Active assignments don’t require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.
- Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
Verify that the User is listed as the member of the Active roles.