Enable reset of PRT to allow for immediate Eligible Device Administrator role through Azure PIM
As it currently stands, if you want to permit specific sets of users to be Device Administrator "eligible" through Azure PIM you may have to wait up to 4 hours for the Primary Refresh Token (PRT) to be updated via Azure before your Azure AD joined devices will acknowledge the Device Administrator role.
This is a big flaw which basically renders this PIM function useless and needs to be fixed by Microsoft. All other Azure AD roles within Azure PIM work just fine when assigning an "eligible" role.
Hi, I have the same issue here, we use PIM and grant access to Global Admin (GA) and find that we are unable to install third party software on our devices until we get the PRT, we have no control over this token and sometimes we can't install the software as we don't get the token within the 4 hour limit, and PIM is only allowed access for 4 hours from our security team.
This is a real flaw in the workings of this, ideally what should happen here is that when you use PIM and grant access to an account, the PRT should be refreshed then, because it makes no sense to me, granting a user GA access and have to wait up to 4 hours before you can do your task, this is counter productive and I think is a design flaw with the architecture and needs to be addressed.