Extend PIM to manage group membership
Enable PIM usage to support any Azure AD group membership controls enabling a time based group membership experience using PIM UI and approval functionality.
You can find the documentation at aka.ms/pag
Steve Bassett commented
This is a must have.
It's a serious security issue to have full time membership of certain security groups, allowing time limited access via PIM would solve the issue.
Nicolas Deixonne commented
I agree this feature is essential for Microsoft Azure. We are using group to define a lot of permissions such as RBAC in AKS Kubernetes clusters, tier service through SAML etc...
Being able to use PIM to assign users temporarily to groups is Gold for Security.
Anyone from Microsoft who can at least acknowledge ?
Bart Michel commented
any idea when this feature will be picked up by the dev's?
still waiting to see if this will make private preview or not; but we control multiple subscription access by AAD Groups; we need to manage these groups via PIM
My use case for this would be SharePoint editing. I don't want to grant SPO Admin rights, it gives too much power under Least Privilege (deleting sites, emptying recycle bin and adding owner rights to OneDrive user profiles etc.) I want a security group that is added as an owner of each site and whenever work needs to be done on that site, the user is added to the group for x amount of hours and they expire out of it.
Another example is handling K8s roles belongings, right now AKS with RBAC is attached only to AD groups so we cannot use PIM to handle it.
Would be useful to be able to allow users exclude themselves from a geoblock CA-policy for a limited time using PIM before travelling.
Kent Peter Gaardmand commented
This would allow better management of DevOps Permissions.
Hrvoje Kusulja commented
Any Azure AD security group should support this.
In this way, MIcrosoft will incrise usability of PIM licenses and its sales.
On the other side, this will be a process to manage and replace Forefront identity manageer some features and be able to new organizations and cloud only organizations.
Please implement this, it passed 2 years without any response...
Guðjón Örn Þorsteinsson commented
One example would be to add a specific user to a AAD Group that grants access to certain SharePoint online sites for a limited time, right?
Wolf, Andrew commented
Berkeley, I believe the link provided refers to having any member of a group eligible for elevation etc while the above (as pointed out by Wesley) refers to temporarily adding users to an AzureAD group as the elevation action
The purpose of that would be to then give permanent permission to the group in whichever app (eg within Exchange) and allow PIM to extend its reach/effectiveness where more granular permissions are required/applied
Wesley Trust commented
I believe this is referring to temporarily granting membership to an Azure AD Security Group (of which you may have used to delegate access to another resource).
Rather than assigning roles to groups, which is in the other suggestion.
Berkeley Churchill commented
Is this the same as https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/20227804-enable-pim-role-assignment-by-group-membership? If not can you clarify the difference?