A resource owner is on leave, and you urgently need to assign roles to manage Azure resources. Which Microsoft Entra service can grant temporary elevated access to perform administrative tasks?

Question

A resource owner is on leave, and you urgently need to assign roles to manage Azure resources. Which Microsoft Entra service can grant temporary elevated access to perform administrative tasks?

Answer 1

To grant temporary access for managing Azure resources in the absence of a resource owner, you can use Microsoft Entra Privileged Identity Management (PIM). PIM helps to manage, monitor, and control access to Azure resources by allowing you to assign temporary roles.

Steps to Configure Microsoft Entra PIM for Temporary Role Assignments

1. Assign Roles in PIM:

o Navigate to the Azure portal and go to Microsoft Entra > Privileged Identity Management.

o Under Manage, select Roles.

o Choose the role that you want to assign (e.g., Owner, Contributor) and click on it.

o Click on Add assignments to provide the role to users.

2. Setting Up Just-In-Time (JIT) Activation:

o Ensure the user has the role assigned with JIT activation. This means they will need to request the activation of the role rather than having it permanently assigned.

3. Configure MFA Requirement:

o In the PIM settings, go to the Azure Active Directory > Roles > select the specific role.

o Under Settings, choose Activation and enable Require multi-factor authentication when users activate roles.

4. Require Justification:

o In the same Activation settings, enable Require justification. This ensures that when a user requests to activate the role, they must provide a reason for the request.

5. User Activation Process:

o Users will log into the Azure portal and go to Microsoft Entra > Privileged Identity Management > My roles.

o They click on the role they have been assigned with JIT and then click Activate.

o The system will prompt them to provide justification and will require MFA for activation.

o Once approved, the role will be temporarily assigned for a specified duration.

6. Monitoring and Auditing:

o You can monitor the role activations through the audit logs in PIM. This can help track who activated which role, when, and for what reason.

Answer 2

Hello @konaAsha ,

Thank you for reaching out Microsoft Q&A.

You can use Microsoft Entra's Privileged Identity Management (PIM) service to grant temporary elevated access for administrative tasks in Azure. PIM allows you to assign roles that can be elevated Just-In-Time, enabling users to manage Azure resources even if the resource owner is unavailable.

Additionally For Azure resource roles in Privileged Identity Management, only a subscription administrator, a resource Owner, or a resource User Access Administrator can manage assignments for other administrators. Users who are Privileged Role Administrators, Security Administrators, or Security Readers don't by default have access to view assignments to Azure resource roles in Privileged Identity Management.

for additional information you can follow: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure
https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs#how-does-elevated-access-work
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-assign-roles

Hope this helps. Do let us know if you any further queries.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Best Regards,
Goutam Pratti.