It would be beneficial to have a Restricted Role Administrator (RRA) directory role in Azure AD. It would be similar to the Privileged Role Administrator, but you could select the priveleges you want the RRA to have. For example, an admin with more priveleges (ie Global Admin or Priveleged Role Admin) could decide if they want the RRA to have access to PIM and the admin could restrict the roles that the RRA could assign to other users, so if they don't want the RRA to be able to assign other users to the Global Admin role or specific Limited Admin roles, they will not be permitted to.
It would be beneficial to have a Restricted Role Administrator (RRA) directory role in Azure AD. It would be similar to the Privileged Role Administrator, but you could select the priveleges you want the RRA to have. For example, an admin with more priveleges (ie Global Admin or Priveleged Role Admin) could decide if they want the RRA to have access to PIM and the admin could restrict the roles that the RRA could assign to other users, so if they don't want the RRA to be able to assign other users to the Global Admin role or specific Limited…4 votes
Currently we have the need to allow someone to add a user to an admin role which is then automatically deleted after a specific time period or date/time. The role should be completely removed at that point in time, so the user should also not be eligible anymore to activate the role.4 votes
Our customer REALLY love the new approval workflow for Azure PIM, but they would really prefer an option to define policies for which admins need approval and for does who just need to elevate their own permissions using Azure MFA.4 votes
Privileged Identity Management Activations duration should have both Maximum and Default activation duration.
Privileged Identity Management Activations duration should have another configuratuion settings together with Maximum activation duration.
- Maximum activation duration set to 8 hours
- Default activation duration set to 4 hours
This way administrators can extend the time if requered, replaces the need for automaticly have maximum activation time3 votes
I'd like to change Email notifications of PIM.
We would like to select users who can receive email.3 votes
Today if I am using a resource filter "Resource" to explorer Azure resources I am unable to see the real resource type of displayed resources . i.e.: Microsoft.Web/sites
It causes problem when more than one resource have the same name. It is then impossible to distinguish which one is which, even clicking on the resource do not provide this information either in the next screen.3 votes
It would be handy to add the additional fields in the email if they are selected in the setup of the PIM controls.
Is there an option/ability to add the ticket information fields in the email alongside the justification?
Currently it only shows the justification3 votes
If you make a eligible role assignment for Global Administrator via PIM it enforces MFA for role activation.
This is the case for several highly privileged roles and cannot be changed. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings#multi-factor-authentication
However, if you assign the role permanently, shouldn't this always enforce MFA for the user?
I understand this change could have a big UX impact and with the new baseline admin conditional access we already have a good way for protection in preview. But if thats the way Microsoft wants to go, shouldnt the baseline CA policy and the highly privileged PIM roles match?3 votes
There should be a means to force password reset on PIM enabled accounts. We do this with CyberArk today and our InfoSec department is balking on PIM due to the lack of automated password reset capability.3 votes
All our non-personal accounts are AAD users (best practise).
However, there is no way for AD PIM vulnerability assessment to exclude them. In short "exclude" list does not do this.
It's been suggested to "register" these - but that would mean manual registration of potentially hundreds of userid's with fake temporary emails and someone's phone number. Not a pleasant thought.3 votes
Pls add eDiscovery roles to PIM/PAM, seem to be mia2 votes
My daily job requires me to activate multiple roles through PIM. I need to be able to do this in one go instead of activate, reason, duration, wait, repeat for all the roles I need that day. Let me just select them all and go through the screen only once.2 votes
Would be great to have the possibility to have different policies for same role.
PIM Policy - Global Admin Require Approval: No
User1 will have to request access to 'Global Admin' through PIM and will be automatically granted the role
PIM Policy - Global Admin Require Approval: Yes
User2 will have to request access to 'Global Admin' through PIM and request needs to be 'Approved' by any 'Global Admin'2 votes
I heard from customers that they would like the ability to switch on a toggle in Azure AD PIM that would allow normal users to request eligibility for a Azure AD Role.
1. Toggle On - > Allow members to request Azure AD Role
2. User/Member request role eligibility / Azure AD role
3. Azure AD PIM admin approves the request for becoming member of the Azure AD role and with either eligibility/approval depending on the default roles.
4. The member/user would afterwards be able to request approval / eligibility and get approval by the defined approver.2 votes
Currently, PIM only provides a "Require approval to activate this role" setting on a per role basis. I would like to see this on a PER USER basis. So a user would be either: Permanent, Eligible, or Eligible (approval required)".
This is more in line with the trust model we want, allowing fewer permanent assignments. Some people would be trusted to self-elevate; others would require independent approval.2 votes
We use PIM and sometimes a PIM activation expires in an opened Azure Portal session.
Sadly, we often need some time to realize that activation expired, because the functions in Azure Portal are not blocked and therefore clickable and there are many cryptic error messages shown, when we try to use functions for which the activation is expired.
It would be nice, if a Info is displayed when PIM activation expires.
This info should be added to the notifactions (bell).2 votes
Option to include non user Service principals in Access review of Azure PIM resource roles.
All Elevated members access ( owners , contributors) to Azure subscription need to be reviewed as part of SOX compliance and currently Non user service principals ( like VSO Service principals used for automated deployments in Azure) are not included in the Access reviews initiated for Azure Resource roles.2 votes
When my role is elevated the 'Activate' button is not always enabled to allow me to schedule a future activation of the current role, if needed. Sometimes the Activate button is enabled and other times it is not. I do not see a consistent pattern to determine why I can sometimes schedule future activations or not.
Currently, only seeing this for the SharePoint Service Administrator role (as that is the only role I used PIM for). I know this PIM is still in preview for this role, so may not be affecting other roles.2 votes
Hello, when attempting to use the API "selfactivate" for certain directory roles (User Administrator in my case) it states that the action can't be conducted because MFA needs to be done in order to escalate to this role. With that said, the graph API doesn't actually begin the MFA process whatsover. Can the complete MFA process be enabled when self-activating certain directory roles?2 votes
It would be useful if there were filters on the eligible PIM roles screen. If you have many subscriptions and many different role types, it can be time consuming to locate what role(s) you need to activate as there are many pages to navigate due to a relatively small number or roles displayed per page.
Being able to filter on both Subscriptions and Roles would be ideal.
So you could for example have a view of a particular role on all subscriptions, or all roles for a particular subscription.2 votes
- Don't see your idea?