Extend PIM to manage group membership
Enable PIM usage to support any Azure AD group membership controls enabling a time based group membership experience using PIM UI and approval functionality.
Would be useful to be able to allow users exclude themselves from a geoblock CA-policy for a limited time using PIM before travelling.
Kent Peter Gaardmand commented
This would allow better management of DevOps Permissions.
Hrvoje Kusulja commented
Any Azure AD security group should support this.
In this way, MIcrosoft will incrise usability of PIM licenses and its sales.
On the other side, this will be a process to manage and replace Forefront identity manageer some features and be able to new organizations and cloud only organizations.
Please implement this, it passed 2 years without any response...
Guðjón Örn Þorsteinsson commented
One example would be to add a specific user to a AAD Group that grants access to certain SharePoint online sites for a limited time, right?
Wolf, Andrew commented
Berkeley, I believe the link provided refers to having any member of a group eligible for elevation etc while the above (as pointed out by Wesley) refers to temporarily adding users to an AzureAD group as the elevation action
The purpose of that would be to then give permanent permission to the group in whichever app (eg within Exchange) and allow PIM to extend its reach/effectiveness where more granular permissions are required/applied
Wesley Trust commented
I believe this is referring to temporarily granting membership to an Azure AD Security Group (of which you may have used to delegate access to another resource).
Rather than assigning roles to groups, which is in the other suggestion.
Berkeley Churchill commented
Is this the same as https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/20227804-enable-pim-role-assignment-by-group-membership? If not can you clarify the difference?