When PIM is enabled, prevent User Admins from changing the activation of an account
When PIM is enabled, prevent role changes via Azure AD using the User Admin role.
Currently, User Admins are able to assign directory roles (via classic portal and new portal, although new portal gives more options via the limited administrator option). It is also possible to change an eligible assignment to permanent using AAD. This stops PIM from being a true privileged management tool as it is too easy to subvert.
Also, the notification email has been changed to just state that an assignment has occurred and not (as it did previously) to say that this occurred outside of PIM. Please bring this back!!!
Todd K. Cook commented
Not sure why we are voting, this is a must have. You are charging us for PIM licenses and they don't mean much.
I agree! When a users has been granted temporary accesss to a role such as Global Admin, they can assign the Global Admin role to others.
I appreciate there's a level of logging/auditing but I think it would be beneficial to prevent role additions/changes for these 'managed' roles entirely. Such that the only way someone can get in to the Global Admins is by being added as eligable by the PIM administrator(s).