Step-by-Step Guide : Azure AD PIM for Groups

Privileged Identity Management (PIM) offers organizations a comprehensive solution for managing, monitoring, and auditing access to their Azure resources. Among its key functionalities, PIM allows the implementation of just-in-time (JIT) access to both and Azure resources. Sometime ago Microsoft released preview feature that enable the usage of Azure AD PIM for Azure AD role-assignable groups.

Since then, this feature has been fully released (General Availability) with some noteworthy enhancements. Previously, utilizing Azure AD PIM with groups required them to be Azure AD role-assignable groups. However, the functionality has now been extended to encompass any Azure AD security group and any Microsoft 365 group, irrespective of whether they are role-assignable groups or not. In this blog post, I will be providing a demonstration of enable Azure AD PIM for an Azure AD security group.

Let's discuss the key points about Azure AD Privileged Identity Management (PIM) for groups:

  • Azure AD PIM for groups has certain limitations: It does not support dynamic groups or groups synchronized from on-premises directories.
  • Azure AD role-assignable groups have a maximum limit of 500 groups. This constraint is imposed by Azure AD itself and not by Azure AD PIM. However, for security groups, this 500 group limit does not apply.
  • Azure AD PIM for groups fully supports nested groups. If a group is eligible for membership in another group, the members of the nested group can activate their membership in the parent group through Azure AD PIM.

Let's go ahead and see how this actually works.

In my demo environment, I already have an Azure AD security group called “RebelTest Group A” and it doesn't have any members assigned.


Let's explore enable Azure AD Privileged Identity Management (PIM) for a specific group and understand its functionalities through a process:

Enabling Azure AD PIM for a Group

  1. Start by logging in to the Azure portal at using Global Administrator or Privileged Role Administrator credentials.
  2. Navigate to Azure AD Privileged Identity Management and select Groups.
  3. Select Discover groups to proceed.
  4. In the new page, search for the desired security group and select it from the list. Then, select Manage Groups.
  5. Confirm the onboarding of the selected group(s) to Azure AD PIM by selecting OK when prompted.
  6. Return to the Azure AD PIM groups page to observe the newly onboarded group.
  7. To add a user as an eligible member to the group, select the group name, followed by Assignments in the group page.
  8. Select + Add assignment to initiate the configuration process.
  9. In the configuration window, select Member for the role, then visit the link under Select member(s) to choose users for the role. Then select Next to proceed.
  10. On the settings page, keep the assignment type as Eligible and set the allowed eligible duration (e.g., 1 year). Once the settings are confirmed, Select Assign to complete the user assignment process.
  11. Next, configure the approval process for the role by selecting Settings in the assignment page.
  12. From the Role list, select Member to access the PIM settings for the role. Then select Edit to modify the default settings.
  13. In the role settings page, select Require approval to activate and specify the user as the approver. Then select Update to finalize the configuration. 


This complete the Azure AD PIM for group configuration. Let's see how its really works for the group members and approvers.


  1. To test Azure AD PIM as an eligible member, log in to the Azure portal using Isaiah Langer's credentials (
  2. Navigate to Azure AD Privileged Identity Management and select Groups.
  3. From the list, select “RebelTest Group A” security group.
  4. Under My roles, locate the eligible member role for the security group and select Activate.
  5. In the role activation window, provide justification for the role request and select Activate.
  6. After the request, the approver receives an email notification.
  7. Log in to the Azure portal as the approver, go to Azure AD Privileged Identity Management, and select Approve requests.
  8. Select Groups and find the role activation request from Isaiah Langer in the list. Then select the user and click Approve.
  9. In the new page, provide justification and select Confirm.
  10. The process is now complete. When viewing the “RebelTest Group A” security group, Isaiah Langer will be visible as a member.
  11. Isaiah can also check his role activation status, which will display his account as under active assignment, along with the end time.

By following these steps, you should now have a better understanding of how Azure AD PIM for groups operates.


This article was originally published by Microsoft's Entra (Azure AD) Blog. You can find the original article here.