Azure PIM per user role settings

0
votes

I am trying to understand how to do this: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-roles-features#new-role-settings

Now, you can configure whether an individual user needs to perform multi-factor authentication before they can activate a role. Also, you can have advanced control over your Privileged Identity Management emails related to specific roles.

My customer works with external partners who need specific role membership. They want to ensure these external people can only activate their roles when approved. Approval however is not required for internal role members. The above looks to allow different config per user. However I see no option to configure this. (I could use customer roles but it looks this has an inbox solution)

1
azureazure-active-directoryazure-api-management

1 Answers

0
votes

In Your Scenario, Create Two separate groups for Internal and External users.

For External Members: Go to Privileged Identity Management,

  1. Select Specific role ​

  2. Add External_Member_Group​

  3. Select "Eligible" as assignment type from drop-down.​

  4. Save.​

  5. Go to Role settings​

  6. "Add MFA" and "Require approval to activate" based on your requirement.​

​For Internal Members: again Go to Privileged Identity Management , ​

  1. Select Specific role ​

  2. Add Internal_Member_Group​

  3. Select "Active" as assignment type // wouldn't require approval to active.​

  4. Save​

​ Now, Add internal and external Users to these groups respectively and based on these groups role of users will be activated.