AAD administrative roles have been only directly assignable to users. They could not be assigned via AAD groups.
Now there is a "Privileged access groups (Preview)" pane in PIM, but I can't find any way to enable a role assignable group in the Azure AD group management. Consequently the list of available AAD groups in PIM is empty. Where can I find this AAD group configuration?
I do find isAssignableToRole as a group property on GET in the Graph API, but PATCH does not work. It looks like an existing AAD group cannot have this flag raised.
The property isAssignableToRole is not available in the Graph API doc.
I am able to create a new AAD security enabled group with the isAssignableToRole flag raised using the Graph API, but the group is still not available in PIM "Privileged access groups (Preview)"
POST https://graph.microsoft.com/v1.0/groups
{
"description": "A test for role assignable groups",
"displayName": "Test role assignable groups",
"securityEnabled": true,
"isAssignableToRole": true,
"mailEnabled": false,
"mailNickname": "test-role-assignment2"
}
Has Microsoft released a partially implemented feature here? If so, do anyone have an ETA on when it will be ready? I found this feature request flagged by Microsoft as started: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/20227804-enable-pim-role-assignment-by-group-membership#{toggle_previous_statuses}
The option to enable assigned AAD roles is not available when creating new group in the portal:
