Microsoft 365 Security Administration: PIM Roles for Permanent Eligible Assignments

Which Roles Allow Permanent Eligible Assignments in Privileged Identity Management?

Q: Your organization is using Privileged Identity Management for role assignments.Within PIM - Which two roles have access to allow a permanent eligible assignment?

Global administratorPrivileged role administrator

Prev Question Next Question

Question

Your organization is using Privileged Identity Management for role assignments.

Within PIM - Which two roles have access to allow a permanent eligible assignment?

Answers

A. Security administrator

B. User administrator

C. Global administrator

D. Privileged role administrator

E. Application Administrator.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Correct Answers: C and D

Only Global admins and Privileged role admins can assign permanent eligible assignments.

See exhibit:

Allow permanent eligible Global admins and Privileged role admins can assign permanent eligible assignment.
assignment

Expire eligible assignment after Global admins and Privileged role admins can require that all eligible assignments have a specified

start and end date.
‘And, you can choose one of these active assignment duration options:
Description

Allow permanent active Global admins and Privileged role admins can assign permanent active assignment.
assignment

Expire active assignment after Global admins and Privileged role admins can require that all active assignments have a specified start

and end date.

Option A is incorrect.

Security administrator does not have permission to allow a permanent eligible assignment.

Option B is incorrect.

User administrator does not have permission to allow a permanent eligible assignment.

Option E is incorrect.

Application administrator does not have permission to allow a permanent eligible assignment.

To know more about privileged identity management, please refer to the link below:

Privileged Identity Management (PIM) is a feature in Microsoft Azure that allows an organization to manage, control, and monitor access to resources and roles in their Azure Active Directory (AAD) environment. It provides just-in-time access, time-bound access, and approval workflows for privileged roles in AAD.

When a user needs to perform a privileged task in AAD, they can be assigned a privileged role for a limited time. However, in some cases, a user may require permanent access to a privileged role. In such cases, the user must request an eligible assignment and be approved by a privileged role administrator.

In PIM, there are several roles that have access to allow permanent eligible assignments. The two roles that have this access are:

Privileged Role Administrator: The Privileged Role Administrator is responsible for managing and overseeing privileged access in AAD. They have access to all PIM features and can approve or deny eligible assignments. They can also create and manage privileged roles and define the scope of each role.
Global Administrator: The Global Administrator has access to all features in AAD, including PIM. They can assign roles, manage users and groups, and configure security settings. They also have access to approve or deny eligible assignments.

The other roles listed in the question, Security Administrator, User Administrator, and Application Administrator, do not have access to allow permanent eligible assignments. The Security Administrator manages security-related features in AAD, the User Administrator manages user accounts and groups, and the Application Administrator manages application registrations and configurations.

In summary, the roles that have access to allow permanent eligible assignments in PIM are Privileged Role Administrator and Global Administrator.

Prev Question Next Question