What happens after I enable any RBAC Role as PIM enabled role?

Neel Darji 91 Reputation points
2024-02-08T03:45:48.2133333+00:00

I have a question on PIM (Privileged Identity Management). Let say, Users A, B, C, D, E have Reader role on subscription ABC right now. This is standing permanent access before enabling PIM. Now, we enable PIM, enable on this ABC subscription on this Reader role. What happens to these all 5 users' Reader roles? Will standing access be revoked or still we can see standing access? 2nd question: How can we automatically migrate standing Role to PIM role without manual efforts? In same scenario mentioned above, what I want is, User A,B,C,D,E should be converted to Eligible Role instead of Active Assignments, how can we achieve that? Because I have 13k+ subscriptions with 100K+ users. If I sit and do manual PIM rollout, this is not feasible. Any help appreciated.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,990 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
830 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Sam Cogan 10,747 Reputation points MVP
    2024-02-08T08:38:20.7+00:00

    When you enable PIM, it will not affect any users with existing permanent access roles, this will stay as they are. If you wish to convert these from permanent to PIM roles you will need to go through the process to do so. If you don't want to do this manually, then you can use PowerShell and the PIM cmdlets to help do this for you, but there is no built-in automation to do so.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.