Use Microsoft Entra Privileged Identity Management (PIM), to allow eligible role members for Azure resources to schedule activation for a future date and time. They can also select a specific activation duration within the maximum (configured by administrators).
This article is for members who need to activate their Azure resource role in Privileged Identity Management.
Note
As of March 2023, you may now activate your assignments and view your access directly from blades outside of PIM in the Azure portal. Read more here.
Important
When a role is activated, Microsoft Entra PIM temporarily adds active assignment for the role. Microsoft Entra PIM creates active assignment (assigns user to a role) within seconds. When deactivation (manual or through activation time expiration) happens, Microsoft Entra PIM removes the active assignment within seconds as well.
Application may provide access based on the role the user has. In some situations, application access may not immediately reflect the fact that user got role assigned or removed. If application previously cached the fact that user does not have a role – when user tries to access application again, access may not be provided. Similarly, if application previously cached the fact that user has a role – when role is deactivated, user may still get access. Specific situation depends on the application’s architecture. For some applications, signing out and signing back in may help get access added or removed.
Prerequisites
None
Activate a role
Tip
Steps in this article might vary slightly based on the portal you start from.
When you need to take on an Azure resource role, you can request activation by using the My roles navigation option in Privileged Identity Management.
Note
PIM is now available in the Azure mobile app (iOS | Android) for Microsoft Entra ID and Azure resource roles. Easily activate eligible assignments, request renewals for ones that are expiring, or check the status of pending requests. Read more below
Sign in to the Microsoft Entra admin center as at least a Privileged Role Administrator.
Browse to Identity governance > Privileged Identity Management > My roles.
Select Azure resource roles to see a list of your eligible Azure resource roles.
In the Azure resource roles list, find the role you want to activate.
Select Activate to open the Activate page.
If your role requires multifactor authentication, select Verify your identity before proceeding. You only have to authenticate once per session.
Select Verify my identity and follow the instructions to provide additional security verification.
If you want to specify a reduced scope, select Scope to open the Resource filter pane.
It's a best practice to only request access to the resources you need. On the Resource filter pane, you can specify the resource groups or resources that you need access to.
If necessary, specify a custom activation start time. The member would be activated after the selected time.
In the Reason box, enter the reason for the activation request.
Select Activate.
Note
If the role requires approval to activate, a notification will appear in the upper right corner of your browser informing you the request is pending approval.
Activate a role with ARM API
Privileged Identity Management supports Azure Resource Manager (ARM) API commands to manage Azure resource roles, as documented in the PIM ARM API reference. For the permissions required to use the PIM API, see Understand the Privileged Identity Management APIs.
To activate an eligible Azure role assignment and gain activated access, use the Role Assignment Schedule Requests - Create REST API to create a new request and specify the security principal, role definition, requestType = SelfActivate and scope. To call this API, you must have an eligible role assignment on the scope.
Use a GUID tool to generate a unique identifier that will be used for the role assignment identifier. The identifier has the format: 00000000-0000-0000-0000-000000000000.
Replace {roleAssignmentScheduleRequestName} in the below PUT request with the GUID identifier of the role assignment.
For more details on managing eligible roles for Azure resources, see this PIM ARM API tutorial.
The following is a sample HTTP request to activate an eligible assignment for an Azure role.
Request
PUT https://management.azure.com/providers/Microsoft.Subscription/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/{roleAssignmentScheduleRequestName}?api-version=2020-10-01Request body
{ "properties": { "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222", "roleDefinitionId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", "requestType": "SelfActivate", "linkedRoleEligibilityScheduleId": "b1477448-2cc6-4ceb-93b4-54a202a89413", "scheduleInfo": { "startDateTime": "2020-09-09T21:35:27.91Z", "expiration": { "type": "AfterDuration", "endDateTime": null, "duration": "PT8H" } }, "condition": "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'", "conditionVersion": "1.0" } } Response
Status code: 201
{ "properties": { "targetRoleAssignmentScheduleId": "c9e264ff-3133-4776-a81a-ebc7c33c8ec6", "targetRoleAssignmentScheduleInstanceId": null, "scope": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e", "roleDefinitionId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222", "principalType": "User", "requestType": "SelfActivate", "status": "Provisioned", "approvalId": null, "scheduleInfo": { "startDateTime": "2020-09-09T21:35:27.91Z", "expiration": { "type": "AfterDuration", "endDateTime": null, "duration": "PT8H" } }, "ticketInfo": { "ticketNumber": null, "ticketSystem": null }, "justification": null, "requestorId": "a3bb8764-cb92-4276-9d2a-ca1e895e55ea", "createdOn": "2020-09-09T21:35:27.91Z", "condition": "@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase 'foo_storage_container'", "conditionVersion": "1.0", "expandedProperties": { "scope": { "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e", "displayName": "Pay-As-You-Go", "type": "subscription" }, "roleDefinition": { "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", "displayName": "Contributor", "type": "BuiltInRole" }, "principal": { "id": "a3bb8764-cb92-4276-9d2a-ca1e895e55ea", "displayName": "User Account", "email": "[email protected]", "type": "User" } } }, "name": "fea7a502-9a96-4806-a26f-eee560e52045", "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.Authorization/RoleAssignmentScheduleRequests/fea7a502-9a96-4806-a26f-eee560e52045", "type": "Microsoft.Authorization/RoleAssignmentScheduleRequests" } View the status of your requests
You can view the status of your pending requests to activate.
Open Microsoft Entra Privileged Identity Management.
Select My requests to see a list of your Microsoft Entra role and Azure resource role requests.
Scroll to the right to view the Request Status column.
Cancel a pending request
If you do not require activation of a role that requires approval, you can cancel a pending request at any time.
Open Microsoft Entra Privileged Identity Management.
Select My requests.
For the role that you want to cancel, select the Cancel link.
When you select Cancel, the request will be canceled. To activate the role again, you will have to submit a new request for activation.
Deactivate a role assignment
When a role assignment is activated, you'll see a Deactivate option in the PIM portal for the role assignment. Also, you can't deactivate a role assignment within five minutes after activation.
Activate with Azure portal
Privileged Identity Management role activation has been integrated into the Billing and Access Control (AD) extensions within the Azure portal. Shortcuts to Subscriptions (billing) and Access Control (AD) allow you to activate PIM roles directly from these blades.
From the Subscriptions blade, select “View eligible subscriptions” in the horizontal command menu to check your eligible, active, and expired assignments. From there, you can activate an eligible assignment in the same pane.
In Access control (IAM) for a resource, you can now select “View my access” to see your currently active and eligible role assignments and activate directly.
By integrating PIM capabilities into different Azure portal blades, this new feature allows you to gain temporary access to view or edit subscriptions and resources more easily.
Activate PIM roles using the Azure mobile app
PIM is now available in the Microsoft Entra ID and Azure resource roles mobile apps in both iOS and Android.
To activate an eligible Microsoft Entra role assignment, start by downloading the Azure mobile app (iOS | Android). You can also download the app by selecting Open in mobile from Privileged Identity Management > My roles > Microsoft Entra roles.
Open the Azure mobile app and sign in. Click on the ‘Privileged Identity Management’ card and select My Azure Resource roles to view your eligible and active role assignments.
Select the role assignment and click on Action > Activate under the role assignment details. Complete the steps to active and fill in any required details before clicking Activate at the bottom.
View the status of your activation requests and your role assignments under ‘My Azure Resource roles’.
Related content
- Extend or renew Azure resource roles in Privileged Identity Management
- Activate my Microsoft Entra roles in Privileged Identity Management
