Exploring Microsoft Entra ID Privileged Identity Management (PIM) Part-3/3 (Groups & Access Review)

In this final part of our series on Microsoft Entra ID Privileged Identity Management (PIM), we'll delve into how to set up just-in-time access for the member and owner roles of a Microsoft Entra security group using PIM for Groups. This feature not only offers an alternative method for configuring PIM for Microsoft Entra roles and Azure roles but also extends PIM capabilities to other Microsoft online services like Intune, Azure Key Vaults, and Azure Information Protection.

When a group is configured for app provisioning, activating a group membership triggers the provisioning process. This means that both the group membership and the user account (if it hasn't been provisioned already) are provisioned to the application using the System for Cross-Domain Identity Management (SCIM) protocol.

We've previously discussed PIM Microsoft Entra role-assignable groups in Part 1 of this series,

Assigning Roles to Users and Groups

You can assign the following entities to roles or groups within PIM:

Users: Grant just-in-time access to Microsoft Entra roles, Azure roles, and PIM for Groups directly to individual users.
Groups: Allow all members of a group to obtain just-in-time access to Microsoft Entra roles and Azure roles.

For Microsoft Entra roles, the group must be a newly created cloud group marked as assignable to a role.
For Azure roles, you can use any Microsoft Entra security group.
Recommendation: It's not advisable to assign or nest a group within a PIM for Groups to avoid complexity and potential security risks.

Note: Service principals cannot be assigned as eligible for Microsoft Entra roles, Azure roles, or PIM for Groups. However, you can grant them a time-limited active assignment to all three.

Configuring PIM for Groups

To prepare Microsoft Entra ID Privileged Identity Management (PIM) to manage Groups effectively, follow these essential steps.

Identifying the Groups

Users often have multiple eligible assignments—sometimes five or six—to Microsoft Entra roles through PIM. Activating each role individually can be time-consuming and hamper productivity. The situation becomes even more complex when users have tens or hundreds of Azure resource assignments.
To streamline access management, consider utilizing PIM for Groups. By creating a PIM-enabled group and granting it permanent active access to multiple roles, users can activate a single group membership instead of multiple individual roles. This approach simplifies the activation process and enhances efficiency. 

To manage a Microsoft Entra role-assignable group as a PIM for Groups, you need to bring the group under PIM management.

Important Considerations

• Any Microsoft Entra security group or Microsoft 365 group (excluding dynamic groups and on-premises synced groups) can be enabled for PIM for Groups.
• Groups do not need to be role-assignable for PIM activation, but role-assignable groups provide enhanced security.

Creating a Role-Assignable Group for Testing

In Microsoft Entra ID, you can assign a Microsoft Entra security group or a Microsoft 365 group to a Microsoft Entra role, but this is only possible for groups that were created as role-assignable.

To begin, open the Entra Portal, navigate to the Groups section, and click on New Group to create a role-assignable group for testing purposes.

In the New Group creation window, you can specify the following:

• Group Type: Select the appropriate group type.
• Group Name: Enter a name for the group.
• Group Description: Provide a brief description of the group.
• Microsoft Entra roles can be assigned to the group: Choose Yes.
• Roles: For our testing, select the following roles: Helpdesk Administrator, Password Administrator, and User Administrator.

After the group is provisioned, we'll add the owners and members through PIM (Privileged Identity Management).

Note: Role-assignable groups offer additional protections compared to non-role-assignable groups:

• Role-assignable groups: Only Global Administrators, Privileged Role Administrators, or the group Owner can manage these groups. Additionally, no other users can modify the credentials of active members within the group. This ensures that administrators cannot elevate to higher privileged roles without following the proper request and approval process.
• Non-role-assignable groups: These groups can be managed by a wider range of Microsoft Entra roles, including Exchange Administrators, Groups Administrators, User Administrators, and more. Likewise, various roles such as Authentication Administrators, Helpdesk Administrators, and User Administrators can modify the credentials of active members in the group.

Note: When creating a group that can be assigned Microsoft Entra roles, this setting is permanent and cannot be modified later. You will need to acknowledge this warning and proceed during the group creation process.

After the group has been created, navigate to PIM and select Groups. From there, discover and add the newly created group to manage its membership and ownership through Privileged Identity Management (PIM).

Select Discover Groups and choose our recently created Group named Helpdesk Admin-Group and then select Manage Groups. Only supported Group types can be selected for PIM management.

Once the selected group is added to PIM, you'll notice that the Members and Owners fields will appear empty, as no members or owners have been added yet.

Note: Once a group is brought under management, it cannot be removed from PIM management. This ensures that another administrator cannot override or remove the PIM settings. If the group is deleted from Microsoft Entra ID, it may take up to 24 hours for it to be fully removed from the PIM for Groups feature.

Configuring Role Settings in PIM for Groups

In Microsoft Entra ID's Privileged Identity Management (PIM) for groups, role settings define the properties for membership or ownership assignments. These properties include multi-factor authentication (MFA) requirements, approval processes for activation, maximum duration of assignments, and notification settings. This guide will show you how to configure these role settings and set up approval workflows to specify who can approve or deny requests to elevate privileges.

Required Permissions

To manage these settings, you need appropriate group management permissions:

Role-Assignable Groups: You must have at least the Privileged Role Administrator role or be an owner of the group.

Non-Role Assignable Groups: You must have at least one of the following roles or be an owner of the group:

• Directory Writer
• Groups Administrator
• Identity Governance Administrator
• User Administrator

Note: Role assignments for administrators should be scoped at the directory level, not at the administrative unit level. Other roles with permissions to manage groups—such as Exchange Administrators for non-role-assignable Microsoft 365 groups—and administrators with assignments scoped at the administrative unit level can manage groups through the Groups API/User Experience (UX). They may override changes made in Microsoft Entra Privileged Identity Management.

Role Settings

Per Role Per Group: Role settings are defined individually for each role within each group. This means all assignments for the same role (member or owner) within the same group will follow the same role settings.
Independence Between Groups and Roles: Role settings for one group are independent of those for another group. Similarly, role settings for one role (e.g., member) are independent of the settings for another role (e.g., owner) within the same group.
By configuring these role settings thoughtfully, you can ensure that membership and ownership assignments within your organization meet your security and compliance requirements. This includes setting up approval workflows to control who can approve or deny privilege elevation requests, thereby enhancing the overall governance of your Microsoft Entra environment.

After identifying the groups you plan to protect with PIM, the next step is to draft and configure the appropriate settings for each group.

To configure role settings for a group, sign in to the Microsoft Entra Admin Center and navigate to Identity Governance, then Privileged Identity Management, and select Groups. 

Choose the group for which you want to configure role settings, then click on Settings. From there, select the role you wish to configure, either Member or Owner.

we will use this below reference as an example for configuring the Owner and Member settings.

Role	Require Justification on Activation	Notification	Require Conditional Access	Require Approval	Approver	Activation Duration	Active Admin	Active Expiration	Eligible Expiration
Owner	✔️	✔️	✔️	✔️	Other owners of the resource	2 Hour	None	N/A	6 Months
Member	✔️	✔️	✔️	❌	None	4 Hours	None	N/A	3 Months

                                          Table-1

Now We'll start by configuring the Owner settings. Select Owner settings and proceed to edit the configurations.

In the Activation Settings, based on the example Table1 above, we are configuring the following:

• Activation Maximum Duration: Set to 2 hours.
• Conditional Access: During activation, Microsoft Entra Conditional Access authentication context will be triggered, requiring Passwordless MFA and acceptance of the Terms of Use.
• Justification Requirement: Users must provide a business justification when activating their eligible assignment.
• Approval Requirement: Approval is required to activate the eligible Owner assignments.

Note: The approver does not need to be a member or owner of the group. When using this option, you must select at least one approver, though we recommend choosing at least two. There are no default approvers.

In the Assignments Settings, we will configure eligible assignments to expire after 6 months. Additionally, we will allow permanent active assignments and require the following:

• Multi-factor authentication (MFA) for active assignments.
• Justification for active assignments, requiring users to provide a reason when activating an assignment.

On the Notifications tab on the Privileged Identity Management enables granular control over who receives notifications and which notifications they receive.

Below screenshot show the available options

Once done select the Update button to save the Settings.

Now Lets update the Member Assignment settings as per the Table-1 above

Group Member Activation settings as follows

Note: For groups used for elevating into Microsoft Entra roles, Microsoft recommends that you require an approval process for eligible member assignments. Assignments that can be activated without approval can leave you vulnerable to a security risk from another administrator with permission to reset an eligible user's passwords.

Group Member Assignment settings as follows

Lastly, for the Notification Settings, we will leave them as the default. Select the Update option to save the changes.

After updating the Owner and Member assignment settings for the group, the status will appear as shown in the screenshot below.

Assigning an Owner or Member to a Group

To make a user an eligible member or owner of a group, follow these steps. You'll need the appropriate permissions to manage groups:

• For role-assignable groups, you must have at least the Privileged Role Administrator role or be the Owner of the group.
• For non-role-assignable groups, you need to have at least one of the following roles: Directory Writer, Groups Administrator, Identity Governance Administrator, User Administrator, or be the Owner of the group.

Additionally, role assignments for administrators should be scoped at the directory level and not at the administrative unit level.

Note: Other roles with group management permissions, such as Exchange Administrators for non-role-assignable Microsoft 365 groups, and administrators with assignments scoped at the administrative unit level, can manage groups through the Groups API/UX and may override changes made in Microsoft Entra PIM.

To assign an owner or member to a group:

Open the Entra Admin Center. Navigate to Identity Governance > Privileged Identity Management > Groups.

In this section, you can view groups that are already enabled for PIM for Groups Select the group you wish to manage. 

Click on Assignments to proceed with assigning an owner or member.

Click on Add Assignments. Start by adding the Owner assignments, followed by adding the Member assignments.

We will add the Owner assignments as demonstrated in the screenshot below.

Click Next to choose the Assignment Type and Duration. As shown in the screenshot below, we have a maximum of 6 months allowed, but for this test, we are selecting only a few days.

Choose Assign to Add the Owner to the selected Group

In a similar manner, let's proceed to add the Member to the group.

For the Member assignment, we selected the assignment type as eligible, and for the activation duration, we chose the maximum allowed, which is 3 months. Choose Assign to save the Member assignments

You can view both assignments under the Eligible Assignments tab within the group.

In the Group Roles tab, you can see the total number of assignments for both the Owner and Member roles.

Group Role Activation 

You can use Privileged Identity Management (PIM) in Microsoft Entra ID to enable just-in-time membership or ownership of a group. When a group membership or ownership is activated, Microsoft Entra PIM temporarily assigns the user as a member or owner, creating an active assignment within seconds. Similarly, when deactivation occurs (either manually or through the expiration of the activation time), Microsoft Entra PIM removes the user's membership or ownership just as quickly.

Some applications provide access based on group membership. In certain cases, the application may not immediately reflect changes in group membership. For example, if the application previously cached that the user was not a member of the group, access might be denied when the user tries to log in again. Conversely, if the application cached that the user was a member of the group, they may still have access after group membership is deactivated. This behavior depends on the specific architecture of the application. In some cases, signing out and signing back in can help update the access changes.

When you need to activate group membership or ownership, you can request it by using the My roles option in PIM.

Owner Role Activation

Now we are going to activate the Group Owner Role 

Log in as the user who has been assigned as the owner of the group. Open the Azure portal, search for Privileged Identity Management, and then navigate to My roles.

Next, select Groups, where you will find the Group Owner role listed under Eligible Assignments. Choose Activate button near to the Owner Role Action.

An Additional Verification banner will appear for the Owner role activation because we have enabled Microsoft Entra Conditional Access authentication context in role settings. Click Continue to proceed.

The user will need to sign in using the Passwordless option. Since the user has already accepted the Terms of Use during previous Azure role testing, the Terms of Use document will not be displayed again.

After successful authentication, the user will be redirected to the Entra PIM Role Activation page, where they will need to select the activation duration, provide a justification, and click Activate to complete the process.

Since the Owner role activation requires approval, the designated approver will receive an email notification. The approver can also view this request in the Pending Requests tab within PIM.

To approve the request, the approver needs to navigate to the Approve Requests tab in the PIM console. 

The approver has the option to either Approve or Deny the request as needed.

Click Approve, and in the dialog box that appears, review the request, enter a justification, and then confirm the approval.

After approval, the Owner role activation status will be visible under the Active Assignments tab.

Once the Owner role is activated, the Owner user can modify the group settings as needed.

Member Role Activation

Now, let's proceed with activating the Member role and review the results.

Log in as the user who has been assigned as the Member of the group. Open the Azure portal, search for Privileged Identity Management, and then navigate to My roles

Next, select Groups, where you will find the Group Member role listed under Eligible Assignments. Choose Activate button near to the Member Role Action for the Required Group.

After clicking the Activate button, An Additional Verification banner will appear for the Member role activation because we have enabled Microsoft Entra Conditional Access authentication context in Role Settings. Click Continue to proceed.

Once Additional verification is completed, you will be prompted to select the activation duration and provide a justification for the activation.

Since approval is not enabled for this Member role activation, the user's role will be activated immediately without the need for approval.

The Member role is now activated for the user, and you can verify this by checking the Active Assignments tab.

When reviewing the user's assigned roles, you'll notice that the Entra ID roles assigned to the group have become active for the user as soon as they activated their group membership.

Note: When you activate a role in Privileged Identity Management, the activation may not immediately propagate across all portals that require the privileged role. In some cases, even if the change has been applied, web caching in a portal may cause a delay in the change taking effect.

Extending or Renewing PIM for Groups Assignments

Privileged Identity Management (PIM) in Microsoft Entra ID allows administrators to manage the lifecycle of group memberships and ownerships by setting start and end dates. As assignments near their end, PIM sends email notifications to affected users, groups, and resource administrators. Expired assignments remain visible for 30 days.

Users or groups with permissions can request to extend or renew time-bound assignments. Role-assignable groups are managed by the Privileged Role Administrator or Owner, while non-role-assignable groups can be managed by roles like Directory Writer or Groups Administrator. Role assignments must be scoped at the directory level.

PIM sends notifications:

• 14 days before expiration
• 1 day before expiration
• Upon expiration

The Extend option becomes available within 14 days of the assignment's end. Administrators are notified when extension or renewal requests are made and when decisions are finalized.

In the screenshot below, the Role Extend option is grade out because the assignment has not yet reached the grace period mentioned above.

Access Review for Azure Resources and Microsoft Entra Roles in PIM

To manage changing access needs, regularly review privileged Azure resources and Microsoft Entra roles using Microsoft Entra Privileged Identity Management (PIM). You can also set up recurring reviews.

• Azure resources: Requires Owner or User Access Administrator role.
• Microsoft Entra roles: Requires at least Privileged Role Administrator role.
• Service Principals: Requires a Microsoft Entra Workload ID Premium plan, along with a Microsoft Entra ID P2, Entra Suite, or Governance license.

Note: Access reviews capture a snapshot at the start of each cycle, with changes reflected in the next review.

Create Access Review

Sign in to the Microsoft Entra admin center as a user assigned to one of the required roles mentioned above.

Navigate to Identity Governance > Privileged Identity Management.

For reviewing Microsoft Entra roles, select Microsoft Entra roles, and for Azure resources, select Azure resources then Select the Azure Subscription

Microsoft Entra Roles & Azure Resource Access Review

We will perform the access review for Microsoft Entra roles, as the steps are the same for configuring an Access Review for Azure Resource. To begin, navigate to Microsoft Entra roles in PIM, then under the Manage section, select Access Reviews.

Click New to create a new access review.

Give the access review a name and, optionally, add a description. Both the name and description will be visible to the reviewers.

Set the Start date for the access review. By default, the review will begin as soon as it's created, run once, and end in one month. You can adjust the start and end dates to begin the review in the future and specify how long it should last.

To make the review recurring, change the Frequency setting from One time to options like Weekly, Monthly, Quarterly, Annually, or Semi-annually. Use the Duration slider or text box to set how long each review in the series will remain open for input. For example, a monthly review can have a maximum duration of 27 days to prevent overlaps.

Under the End setting, choose how the recurring series will conclude: it can run indefinitely, end on a specific date, or stop after a set number of occurrences. You or another administrator can stop the series anytime by updating the end date in the Settings.

In the Users Scope section, choose the scope for the review.

• For Microsoft Entra roles, the first option is Users and Groups, which includes directly assigned users and role-assignable groups.
• For Azure resource roles, the first option is Users, where groups assigned to Azure roles will be expanded to show all transitive user assignments in the review.

You can also select Service Principals to include machine accounts that have direct access to either the Azure resource or Microsoft Entra role in the review.

Alternatively, you can create access reviews specifically for inactive users. In the Users Scope section, set the Inactive users (on tenant level) only toggle to true. When enabled, the review will focus solely on inactive users. You can then specify the Days inactive, with a maximum of 730 days (two years). Only users who have been inactive for the specified number of days will be included in the review.

In the Review role membership section, select the privileged Azure resource or Microsoft Entra roles you want to review.

Note: Selecting more than one role will result in the creation of multiple access reviews. For instance, selecting five roles will generate five individual access reviews.

In the Assignment type section, you can scope the review based on how the principal was assigned to the role.

• Select Eligible assignments only to review assignments that are eligible, regardless of activation status at the time of the review.
• Choose Active assignments only to focus on reviewing currently active assignments.
• Select All active and eligible assignments to include both types of assignments in the review.

In the Reviewers section, you can select one or more individuals to review all users or have users review their own access.

• Selected users: Choose specific individuals to complete the review. This option is available regardless of the scope and allows the reviewers to assess users, groups, and service principals.
• Members (self): Select this option for users to review their own role assignments. This is only available when the review is scoped to Users and Groups or Users. For Microsoft Entra roles, role-assignable groups are excluded from the review when this option is selected.
• Manager: Choose this option to have the user’s manager review their role assignment. This is also only available when the review is scoped to Users and Groups or Users. You can also specify a fallback reviewer, who will step in when a user has no manager listed in the directory. For Microsoft Entra roles, role-assignable groups will be reviewed by the fallback reviewer if one is chosen.

To define what happens after a review is completed, expand the Upon completion settings section.

• If you want to automatically remove access for users who were denied, set Auto apply results to resource to Enable. If you prefer to manually apply the results after the review, set this option to Disable.
• Use the If reviewers don’t respond option to decide what happens to users who were not reviewed by the end of the review period. This will not affect users who were reviewed.

Options include:

• No change: Leave the user's access as is.
• Remove access: Revoke the user's access.
• Approve access: Grant the user's access.
• Take recommendations: Follow the system's recommendation on whether to approve or deny the user's continued access.

You can send notifications to additional users or groups to keep them informed of the review’s progress and completion. This feature allows stakeholders, beyond the review creator, to stay updated. To enable this, select Select User(s) or Group(s) and add the users or groups you want to receive the review status updates.

To configure additional options, expand the Advanced settings section.

• Set Show recommendations to Enable to display system recommendations to reviewers, based on the user’s access activity over the past 30 days. Users who have signed in within the last 30 days will have a recommendation to approve access, while users who haven’t will have a denial recommendation. This is based on both interactive and non-interactive sign-ins, with the last sign-in date also shown.
• Enable Require reason on approval to prompt reviewers to provide a justification when approving access.
• Turn on Mail notifications to have Microsoft Entra ID send emails to reviewers when the access review starts and to administrators when the review is completed.

The email notification will appear as follows:

Entra ID Access review recommendation email notification 

• Enable Reminders to send reminders to reviewers who have not yet completed their review.

The content of emails sent to reviewers is automatically generated, including details like the review name, resource name, and due date. If you need to provide additional instructions or contact information, use the Additional content for reviewer email field to include this information in both invitation and reminder emails. 

Once all the settings are configured, click the Start button to initiate the access review.

Since we selected 4 Entra roles, 4 separate access reviews have been created and are now displayed in the Access Reviews section.

Managing the Access Review

You can monitor the progress of the review on the Overview page as reviewers complete their tasks. No access rights will be altered in the directory until the review is fully completed. Below is an example screenshot of the overview page for Microsoft Entra roles access reviews.

To manage a series of access reviews, navigate to the specific review where you'll find upcoming occurrences under Scheduled Reviews. Currently no Schedules available as per below screenshot 

You can adjust the end date or add/remove reviewers as needed.

Based on your selections in the Upon completion settings, auto-apply will either execute after the review's end date or when you manually stop the review. The status will update from Completed through stages like Applying, and finally to Applied. Denied users, if any, will be removed from their roles within a few minutes.

Note: 1. For Microsoft Entra roles Role-assignable groups can be assigned directly to the role. When an access review is created for a Microsoft Entra role with role-assignable groups, the group name appears in the review, but the group membership is not expanded. The reviewer can approve or deny access for the entire group. If the group is denied, it will lose its assignment to the role when the review results are applied.

        2. For Azure resource roles, any security group can be assigned to the role. When an access review is created for an Azure resource role with a security group assigned, all users within the group are fully expanded and displayed to the reviewer. If a reviewer denies access to a user assigned via the security group, the user will not be removed from the group because the group may be used for other Azure or non-Azure resources. Therefore, any changes to denied access must be handled by the administrator.        

        3. A security group may have other groups nested within it. In this case, only users directly assigned to the security group will appear in the role's access review.

Updating the Access Review

Once one or more access reviews have been started, you may need to modify or update their settings. Here are some common scenarios to consider:

• Adding or removing reviewers: You can add a fallback reviewer in addition to the primary reviewer when updating access reviews. Primary reviewers can be removed, but fallback reviewers cannot be removed by design.
• Note: Fallback reviewers can only be added when the reviewer type is set to Manager, while primary reviewers can be added when the reviewer type is Selected User.
• Reminding reviewers: You can enable the reminder option in Advanced Settings. When this is activated, reviewers will receive an email notification at the midpoint of the review period, regardless of whether they have completed their review.

• Updating settings: For recurring access reviews, settings are split between Current and Series. Changes made under Current will only apply to the current review, while changes under Series will apply to all future occurrences of the review.

Access Review of Azure Resource and Microsoft Entra Roles in PIM

If you're assigned an administrative role, your organization's Privileged Role Administrator may request you to periodically confirm that you still require that role for your job. You may receive an email with a link to the review, or you can start directly by visiting the Microsoft Entra admin center.

If you're at least a Privileged Role Administrator and want to perform access reviews, follow these steps to get started:

Sign in to the Microsoft Entra admin center.
Navigate to Identity Governance > Privileged Identity Management (PIM).
Select Review Access 

Select either Microsoft Entra roles or Azure resources for the access review. In our case, we will review the Entra ID Roles access review that we created earlier.

If you have any pending access reviews, they will appear on the Access Reviews page. Select the review you want to complete.

Choose either Approve or Deny, and in the Provide a reason box, enter a business justification for your decision if required.

In our case, we are Denying the access. Select Deny, and provide a business justification.

After denying access, the Access Review Overview page will reflect the updated status, showing the denied users and the current progress of the review.

On the Results page, you have the option to stop the access review or reset the completed review, preventing any actions from being applied at the end of the review.

You can also view the outcome of the access review, whether it was Approved or Denied, as well as details on who reviewed the access. Additionally, you can download a summary of the completed review, including the review results.

On the Details page, the following options are available for managing access reviews of Azure resources and Microsoft Entra roles:

Here is an example of a One-time access review that we recently completed

• Stop an access review: While all access reviews have an end date, you can end a review early by selecting the Stop button. This option is only available when the review is active. Once stopped, a review cannot be restarted.
• Reset an access review: If the review is active and at least one decision has been made, you can reset the review by selecting the Reset button. This clears all decisions, marking all users as "not reviewed" again.
• Apply an access review: After the review is completed (either by reaching the end date or stopping it manually), the Apply button removes denied users' access to the role. If the Auto apply setting was enabled during review creation, this button will be disabled since the review will be applied automatically.
• Delete an access review: If you no longer need the review, you can remove it by selecting the Delete button. Be cautious, as this action is irreversible, and no confirmation will be required before deletion.

Important: Ensure you are certain about deleting the review, as there will be no prompt to confirm this action.

Here is an example of a completed access review where the result was access removed for the denied users.

Conclusion

In this final part of our Exploring Microsoft Entra ID Privileged Identity Management (PIM) series, we’ve discussed how to manage Groups and conduct Access Reviews. By enabling just-in-time access and regularly reviewing role assignments, PIM helps reduce the risk of over-privileged users and strengthens your organization’s security. Leveraging PIM’s features like role-assignable groups and automated reviews ensures better control over access to critical resources.

This concludes our series on Microsoft Entra ID PIM, providing essential tools for enhancing security and compliance.