Assign Microsoft Entra roles in Privileged Identity Management

With Microsoft Entra ID, a Global Administrator can make permanent Microsoft Entra admin role assignments. These role assignments can be created using the Microsoft Entra admin center or using PowerShell commands.

The Microsoft Entra Privileged Identity Management (PIM) service also allows Privileged Role Administrators to make permanent admin role assignments. Additionally, Privileged Role Administrators can make users eligible for Microsoft Entra admin roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they're done.

Privileged Identity Management support both built-in and custom Microsoft Entra roles. For more information on Microsoft Entra custom roles, see Role-based access control in Microsoft Entra ID.

Note

When a role is assigned, the assignment:

  • Can't be assigned for a duration of less than five minutes
  • Can't be removed within five minutes of it being assigned

Assign a role

Follow these steps to make a user eligible for a Microsoft Entra admin role.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity governance > Privileged Identity Management > Microsoft Entra roles.

  3. Select Roles to see the list of roles for Microsoft Entra permissions.

    Screenshot of the Roles page with the Add assignments action selected.

  4. Select Add assignments to open the Add assignments page.

  5. Select Select a role to open the Select a role page.

    Screenshot showing the new assignment pane.

  6. Select a role you want to assign, select a member to whom you want to assign to the role, and then select Next.

    Note

    If you assign a Microsoft Entra built-in role to a guest user, the guest user will be elevated to have the same permissions as a member user. For information about member and guest user default permissions, see What are the default user permissions in Microsoft Entra ID?

  7. In the Assignment type list on the Membership settings pane, select Eligible or Active.

    • Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multifactor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.

    • Active assignments don't require the member to perform any action to use the role. Members assigned as active always have the privileges assigned to the role.

  8. To specify a specific assignment duration, add a start and end date and time boxes. When finished, select Assign to create the new role assignment.

    • Permanent assignments have no expiration date. Use this option for permanent workers who frequently need the role permissions.

    • Time-bound assignments expire at the end of a specified period. Use this option with temporary or contract workers, for example, whose project end date and time are known.

    Screenshot showing Memberships settings - date and time.

  9. After the role is assigned, an assignment status notification is displayed.

    Screenshot showing a new assignment notification.

Assign a role with restricted scope

For certain roles, the scope of the granted permissions can be restricted to a single admin unit, service principal, or application. This procedure is an example if assigning a role that has the scope of an administrative unit. For a list of roles that support scope via administrative unit, see Assign scoped roles to an administrative unit. This feature is currently being rolled out to Microsoft Entra organizations.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity > Roles & admins > Roles & admins.

  3. Select the User Administrator.

    Screenshot showing the Add assignment command is available when you open a role in the portal.

  4. ​Select Add assignments.

    Screenshot showing when a role supports scope, you can select a scope.

  5. On the Add assignments page, you can:

    • Select a user or group to be assigned to the role
    • Select the role scope (in this case, administrative units)
    • Select an administrative unit for the scope

For more information about creating administrative units, see Add and remove administrative units.

Assign a role using Microsoft Graph API

For more information about Microsoft Graph APIs for PIM, see Overview of role management through the privileged identity management (PIM) API.

For permissions required to use the PIM API, see Understand the Privileged Identity Management APIs.

Eligible with no end date

This example shows an HTTP request to create an eligible assignment with no end date. For details on the API commands including request samples in languages such as C# and JavaScript, see Create roleEligibilityScheduleRequests.

HTTP request

POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests
Content-Type: application/json

{
    "action": "adminAssign",
    "justification": "Permanently assign the Global Reader to the auditor",
    "roleDefinitionId": "f2ef992c-3afb-46b9-b7cf-a126ee74c451",
    "directoryScopeId": "/",
    "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
    "scheduleInfo": {
        "startDateTime": "2022-04-10T00:00:00Z",
        "expiration": {
            "type": "noExpiration"
        }
    }
}

HTTP response

This example shows a response. The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-Type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilityScheduleRequests/$entity",
    "id": "42159c11-45a9-4631-97e4-b64abdd42c25",
    "status": "Provisioned",
    "createdDateTime": "2022-05-13T13:40:33.2364309Z",
    "completedDateTime": "2022-05-13T13:40:34.6270851Z",
    "approvalId": null,
    "customData": null,
    "action": "adminAssign",
    "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
    "roleDefinitionId": "f2ef992c-3afb-46b9-b7cf-a126ee74c451",
    "directoryScopeId": "/",
    "appScopeId": null,
    "isValidationOnly": false,
    "targetScheduleId": "42159c11-45a9-4631-97e4-b64abdd42c25",
    "justification": "Permanently assign the Global Reader to the auditor",
    "createdBy": {
        "application": null,
        "device": null,
        "user": {
            "displayName": null,
            "id": "00aa00aa-bb11-cc22-dd33-44ee44ee44ee"
        }
    },
    "scheduleInfo": {
        "startDateTime": "2022-05-13T13:40:34.6270851Z",
        "recurrence": null,
        "expiration": {
            "type": "noExpiration",
            "endDateTime": null,
            "duration": null
        }
    },
    "ticketInfo": {
        "ticketNumber": null,
        "ticketSystem": null
    }
}

Active and time-bound

The example shows an HTTP request to create a time bound active assignment. For details on the API commands including request samples in languages such as C# and JavaScript, see Create roleAssignmentScheduleRequests.

HTTP request

POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests 

{
    "action": "adminAssign",
    "justification": "Assign the Exchange Recipient Administrator to the mail admin",
    "roleDefinitionId": "31392ffb-586c-42d1-9346-e59415a2cc4e",
    "directoryScopeId": "/",
    "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
    "scheduleInfo": {
        "startDateTime": "2022-04-10T00:00:00Z",
        "expiration": {
            "type": "afterDuration",
            "duration": "PT3H"
        }
    }
}

HTTP response

This example shows the response. The response object shown here might be shortened for readability.

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleAssignmentScheduleRequests/$entity",
    "id": "ac643e37-e75c-4b42-960a-b0fc3fbdf4b3",
    "status": "Provisioned",
    "createdDateTime": "2022-05-13T14:01:48.0145711Z",
    "completedDateTime": "2022-05-13T14:01:49.8589701Z",
    "approvalId": null,
    "customData": null,
    "action": "adminAssign",
    "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
    "roleDefinitionId": "31392ffb-586c-42d1-9346-e59415a2cc4e",
    "directoryScopeId": "/",
    "appScopeId": null,
    "isValidationOnly": false,
    "targetScheduleId": "ac643e37-e75c-4b42-960a-b0fc3fbdf4b3",
    "justification": "Assign the Exchange Recipient Administrator to the mail admin",
    "createdBy": {
        "application": null,
        "device": null,
        "user": {
            "displayName": null,
            "id": "00aa00aa-bb11-cc22-dd33-44ee44ee44ee"
        }
    },
    "scheduleInfo": {
        "startDateTime": "2022-05-13T14:01:49.8589701Z",
        "recurrence": null,
        "expiration": {
            "type": "afterDuration",
            "endDateTime": null,
            "duration": "PT3H"
        }
    },
    "ticketInfo": {
        "ticketNumber": null,
        "ticketSystem": null
    }
}

Update or remove an existing role assignment

Follow these steps to update or remove an existing role assignment. Microsoft Entra ID P2 or Microsoft Entra ID Governance licensed customers only: Don't assign a group as Active to a role through both Microsoft Entra ID and Privileged Identity Management (PIM). For a detailed explanation, see Known issues.

  1. Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.

  2. Browse to Identity governance > Privileged Identity Management > Microsoft Entra roles.

  3. Select Roles to see the list of roles for Microsoft Entra ID.

  4. Select the role that you want to update or remove.

  5. Find the role assignment on the Eligible roles or Active roles tabs.

    Screenshot showing how to update or remove role assignment.

  6. Select Update or Remove to update or remove the role assignment.

Remove eligible assignment via Microsoft Graph API

This example shows an HTTP request to revoke an eligible assignment to a role from a principal. For details on the API commands including request samples in languages such as C# and JavaScript, see Create roleEligibilityScheduleRequests.

Request

POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests 

{ 
    "action": "AdminRemove", 
    "justification": "abcde", 
    "directoryScopeId": "/", 
    "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222", 
    "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b" 
} 

Response

{ 
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#roleManagement/directory/roleEligibilityScheduleRequests/$entity", 
    "id": "fc7bb2ca-b505-4ca7-ad2a-576d152633de", 
    "status": "Revoked", 
    "createdDateTime": "2021-07-15T20:23:23.85453Z", 
    "completedDateTime": null, 
    "approvalId": null, 
    "customData": null, 
    "action": "AdminRemove", 
    "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222", 
    "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", 
    "directoryScopeId": "/", 
    "appScopeId": null, 
    "isValidationOnly": false, 
    "targetScheduleId": null, 
    "justification": "test", 
    "scheduleInfo": null, 
    "createdBy": { 
        "application": null, 
        "device": null, 
        "user": { 
            "displayName": null, 
            "id": "5d851eeb-b593-4d43-a78d-c8bd2f5144d2" 
        } 
    }, 
    "ticketInfo": { 
        "ticketNumber": null, 
        "ticketSystem": null 
    } 
} 

Next steps