How to create a group with PIM elevation in Azure

1
votes

I'm new to Azure AD. and trying to create access package.

My requirement is to Create a group 1st then elevate that group for PIM, then create access package, and then assign groups to scope.

I'm not sure, if there is any setting that needs to be enabled for PIM elevation during group creation. Please do let me know? Searched on net but didn't get appropriate steps. A screenshot or step by step would help.

Edit: Perticulerly : for assign groups to scope:

I think, this(assign groups to scope) can be done from the subscription -> Access control(IAM) -> "Role assignment" ; where my scope is showing "this resource" where as it should be a resource group name. - Anything Am I missing here?

Thanks

2
azure-active-directory
Hello @AskMe, Which you have edited it is for assign scope to Azure Resources not for the Azure AD groups.RahulKumarShaw-MT
Hi @RahulKumarShaw-MT - If my edit is "assign scope to Azure Resources" - What is the correct steps to do it? I gauss, I have very less knowledge. Please let me know. Thanks.AskMe
Hello @AskMe added answer for your edit.RahulKumarShaw-MT
Hello @AskMe, If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). This can be beneficial to other community members. Thank youRahulKumarShaw-MT

2 Answers

1
votes

For elevate that group for PIM and create access package You should have Azure AD Premium P2 license

Please refer this Microsoft Document for PIM and Access Package.

Once you have above licence you can follow this Document for PIM of a Group

Edit--

I think, this(assign groups to scope) can be done from the subscription -> Access control(IAM) -> "Role assignment" ; where my scope is showing "this resource" where as it should be a resource group name. - Anything Am I missing here?

If you are assiging the group to a scope on subscription level then if you go IAM ->Role Assigment it will show you This Resouce only and if you to your resource it will show subscription[inherited].

Likewise if you are assigning a scope to resource group level then if you go to resourcegroup-> role assigment it will show this resource and if you check inside the resources present in your resource group it will be resource group[Inherited].

0
votes

This is how its done.

Go to "Group" and search for "assignment group" that is created. Lets say "xxx_contributor" -> select and click on that -> then click on "Privilaged access(Preview) [ from left blade] -> Click on "Enable privillage access" - > click on "add assignment" - > select "role" as "member" - > click on "select member" - > search for the member , lets say "xxx_contributor_eligible" -> click " next" and click "assign".