Enable PIM role assignment by Group membership.
It would be nice to enable PIM roles to be linked not only to direct assignment to users but also to groups. This enables integration with on-premise IAM solutions that have not been extended to support the Graph API calls to PIM for role management.
Rich Ivey commented
I need to assign 2 PIM roles to all of my IT staff, which is 90 users. That would be 180 individual assignments in order to give them all access to these 2 roles. All of these admins are in a single group, which changes membership constantly. To do all of these assignments manually, and keep track of changes would be an administrative nightmare. Please fix this so that we can manage roles properly.
Rutger de Boer commented
We are an MSP that take security extremely serious. With on- and offboarding of customer admins this process is a complete mess. Please integrate groups in PIM. Thank you.
This is absolutely essential for large organizations. We manage the concept of group membership centrally via AD and shouldn't have to provide AAD User Access Administrator rights and training to individuals that are very comfortable living only in AD land. We also have existing Manager Access review procedures on top of AD and should not have to re-invent these for Azure AD. If Microsoft is thinking properly...any time a user can be assigned to anything, there should always be the option to assign a group of users to the same thing.
Colin Kidwell commented
Seems counter-intuitive without the ability to manage through groups.
Rich Ivey commented
This needs to be fixed! I need to assign roles to large groups of admins, and doing it user-by-user is very time consuming and more prone to error or mistakes, not to mention the constant manual management. I already have these users in groups in Azure AD and cannot believe that this is not an option in PIM.
Please fix this so we don't have manage memberships manually.... I feel like I'm back in 1995.
Ian Morgan commented
We planned our strategy around using Role Groups. This works perfectly with ARM roles, but were dumbstruck when we found other AAD roles do _not_ support assignment to groups. This complicates matters tremendously. With a limit of 2000 role assignments per subscription, this could be a hard block for us.
Is anyone aware of a workaround other than scripting assignments with the API? (Which doesn't avoid the limits issue)
Allen Sudbring commented
Absolutely agree. My customer is begging for this. They are a very large environment with many admins and management of this has become unwieldy to the point that they are thinking about abandoning using PIM.
Peter Selch Dahl commented
Great suggestion! I would also like to see this feature in the future.
Tom Aafloen commented
I agree, this is essential in larger organizations.