PIM for Groups, Are You Still Assigning Roles to Users?
Let’s be honest about how you manage Privileged Identity Management (PIM) and PIM for groups?
Think back to when you set up an existing admin, What did that workflow look like?
Did you go into PIM, search for “the user”, click “Add Assignment”, and select the Exchange Administrator role? Then did you go back, search for “the user” again, and add the Intune Administrator role? And then again for User Administrator?
If you are nodding your head, you are doing it the hard way.
For a long time, this was the standard. We treated PIM like a digital signup sheet, mapping individual users to individual roles. But when you look at a growing team list managing folks individually, direct assignment becomes a trap. It’s slow, and it makes auditing a nightmare.
If you are still assigning roles directly to people, it’s time to start assigning roles to groups
Never miss an article and subscribe, and don’t forget to subscribe to my YouTube channel, Control Alt Delete Tech Bits
The Trap of Direct Assignment
Direct assignment does not scale.
Onboarding is tedious
To fully onboard a single administrator, you may need to click through five or six separate role assignments.
Offboarding is risky
If a user moves teams or leaves the organisation, every individual role assignment must be removed. Miss one and you leave behind unnecessary privilege.
Visibility is poor
If someone asks who can manage Exchange, the only way to answer is to open the role and scan a list of individual accounts.
PIM for Groups
The fix is simple: Stop managing roles. Start managing Group Membership.
Instead of making José Teixeira eligible for five different roles individually, you create a single, specialised group let’s call it PIM-Tier2-Admins. You give that Group permanent access to Exchange, Intune, and User Admin roles.
Then, you use PIM to make José an eligible Member of that group. When José activates the group membership, he inherits all those powers at once.
Prerequisites and licensing
Microsoft Entra ID P2 licences for any user who will be eligible for PIM
These licences are included in Microsoft 365 E5, EM+S E5, or can be purchased standalone
Create a role-assignable security group
Role-assignable groups have strict requirements:
- Cloud-only security group
- Not synced from on-premises Active Directory
- Not dynamic
- Must be flagged as role-assignable at creation time
If you miss the role-assignable setting, the group must be deleted and recreated.
Go to Microsoft Entra admin centre > Teams & Groups > Security groups > Add new security group > Name the group > Tick roles can be assigned
Assign Entra roles to the group
Now assign the required administrative roles to the group itself.
Go to Roles and then role assignments
Select a role, for example, Exchange Administrator or Intune Administrator
Click Add assign admins
Select the group PIM-Tier2-Admins
Set Assignment type to Active
The group holds standing permissions. No human has access yet.
This is intentional.
This site and my YouTube channel are supported by Tech-Source.
Tech-Source is a UK-based technology supplier that works closely with IT teams across education, public sector, and commercial environments. They provide hardware, licensing, and infrastructure solutions, with a strong focus on practical advice rather than upselling.
Their support helps keep this site running and allows me to continue publishing in-depth, admin-focused content and walkthroughs without paywalls.
You can find out more about what they do at https://tech-source.co.uk/
Protect the group membership with PIM
This is the critical step.
Go to Entra > Identity Governance > Privileged Identity Management
Select Groups
Locate your role-assignable group (use Discover groups if needed)
Open the group
Go to Assignments > Add assignments
Configuration:
- Assignment type: Member
- User: José Teixeira
- Setting: Eligible
José is not a member of the group yet. He must activate the membership through PIM.
When he does, MFA, justification, approval, and time limits apply based on your PIM configuration. When the activation expires, all inherited roles are removed automatically.
Eligible membership allows the user to request temporary membership in the group through PIM. Only during an active PIM session does the user become a group member and inherit the roles assigned to that group.
This is the correct choice for human administrators.
What Active would mean instead
An Active assignment would make José a permanent member of the group. He would continuously inherit all roles assigned to the group without activation, time limits, or approval.
Active assignments are appropriate for:
- Service accounts
- Break-glass accounts
- Automation scenarios
They are not appropriate for day-to-day administrator access.
How this behaves in practice
With an Eligible assignment:
- José is not a group member by default
- He must activate membership through PIM
- MFA, justification, approval, and activation duration are enforced
- When the activation expires, group membership is removed
- All inherited roles are dropped automatically
This is the control point that prevents standing privilege and keeps administrative access temporary and auditable.
Why this works better when the team grows
A week later, you hire Olavi King.
Under the old model, you would repeat every role assignment you performed for José.
Under the group model:
- Open PIM
- Go to the PIM-Tier2-Admins group
- Add Olavi as an eligible member
That is the only step.
Olavi now has exactly the same potential access as José, governed by the same controls, reviewed in the same place, and audited the same way.
Direct role assignment is not wrong because it fails technically. It is wrong because it does not scale, it does not age well, and it creates risk through complexity.
PIM was never meant to be a user-by-user permission manager. It was designed to control privileged access. Group-based PIM does exactly that by separating role intent from human access.
Define what access exists once.
Attach that access to a group.
Use PIM to decide who can step into it, when, and for how long.
If you want faster onboarding, safer offboarding, and answers to audit questions without guesswork, stop assigning roles to users.
Assign roles to groups, and let PIM do the job it was built for.
You may also like this article
Can I use dynamic groups for PIM role assignment?
No. Role-assignable groups cannot be dynamic. They must be static, cloud-only security groups created directly in Microsoft Entra ID.
Can I use groups synced from on-premises Active Directory?
No. Role-assignable groups must be cloud-only. Groups synced from on-premises Active Directory are not supported for Entra role assignment.
Why assign roles to the group as Active instead of Eligible?
The group represents the role intent and should permanently hold the permissions. PIM is used to control who can access the group, not to control the group itself. Making the group Active and the user Eligible keeps the model simple and predictable.
What happens if a user is assigned as Active instead of Eligible?
An Active assignment makes the user a permanent member of the group. They inherit all assigned roles continuously, without activation, expiry, or approval. This should be avoided for human administrators.
Does activating the group automatically activate all roles?
Yes. When a user activates group membership, they inherit all Entra roles assigned to that group for the duration of the activation.
What happens when activation expires?
The user is removed from the group automatically. All inherited roles are dropped immediately, leaving no standing privilege.
Can access reviews be applied to these groups?
Yes. Access reviews can target PIM-managed group membership, making it easier to review privileged access without inspecting individual role assignments.
Tags: Entra ID, Microsoft Entra
[…] You also might like this article […]