![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 83%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXZ%3C/text%3E%3C/svg%3E)
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
871 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Xiuyu Zheng,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
Regarding your explanation, the first thing is to check if the Policy Enforcement Role is available and that you are eligible for it. You will need permissions like Microsoft.Authorization/PolicyAssignments/*.
Secondly, if your organization uses Microsoft Entra Privileged Identity Management (PIM), you can request to activate this role. PIM helps manage, control, and monitor access within Azure AD, including privileged roles.
Reach out to your Azure AD administrator or the person responsible for role assignments in your organization. They can grant you the necessary permissions.
If your organization has a formal process for requesting roles, follow that process. This might involve submitting a request through a ticketing system or an internal portal.
Also, once you have been granted eligibility for the role, you can activate it through the Azure portal. Here’s how: In you Azure Portal, Navigate to All services and select the scope (e.g., Management groups, Subscriptions, or Resource groups). From Access control (IAM) and find the role you want to activate. Click Activate and specify the start time, duration, and reason for activation - https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-eligible-activate
Finally, after activation, verify that you have the necessary permissions to manage policy assignments.
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.