News

Microsoft Entra Privileged Identity Management Gets Two New Features

PIM for Groups and PIM integration with Conditional Access are released.

• By Kurt Mackie
• 10/04/2023

Microsoft announced this week that it has added two new capabilities to Microsoft Entra Privileged Identity Management (PIM) at the "general availability" release stage.

Commercially released are "PIM for Groups" and "PIM integration with Conditional Access." Microsoft defines PIM as enabling organizations to "limit standing admin access to privileged roles, discover who has access, and review privileged access." The two new capabilities, now commercially available, add refined IT controls on top of this general scenario, which is rather complex.

The announcement described PIM as being "part of Microsoft Entra ID Governance and Microsoft Entra ID P2" licensing. Moreover, "PIM enables you to manage just-in-time access to privileged roles in Microsoft Entra, Microsoft 365 services, and Azure."

PIM for Groups
PIM users would seem to have all the requisite controls, given the above description, but apparently group controls were missing. The new PIM for Groups capability lets IT departments specify "just-in-time group membership and ownership." Moreover, they can specify "role-assignable and non-role-assignable groups," per this document on PIM for Groups.

Microsoft defines role-assignable groups as being managed only by "the Global Administrator, Privileged Role Administrator, or the group Owner." In contrast, non-role-assignable groups permit management by personnel with lower privileged Microsoft Entra roles.

Apparently, the PIM for Groups capability to specify role-assignable groups requires having Microsoft Entra ID Governance licensing of a sort. Here's how the document put it, without elaboration:

Microsoft Entra role-assignable group feature is not part of Microsoft Entra Privileged Identity Management (Microsoft Entra PIM). For more information on licensing, see Microsoft Entra ID Governance licensing fundamentals.

Microsoft actually previewed PIM for Groups more than three years ago as a way of setting just-in-time access controls over group access to workflows, but back then this feature was called "Privileged Access Groups." Microsoft previously had required the use of role-assignable groups with this feature, but that condition changed early this year.

Here's how the document characterized that change:

Up until January 2023, it was required that every Privileged Access Group (former name for this PIM for Groups feature) had to be role-assignable group. This restriction is currently removed. Because of that, it is now possible to enable more than 500 groups per tenant in PIM, but only up to 500 groups can be role assignable.

The nuances associated with this feature are somewhat confusingly described.

PIM Integration with Conditional Access
The other feature at general availability is PIM integration with Conditional Access. It adds more "granular" policy controls over access to data. Conditional Access policies can be set for roles with this feature.

"By combining PIM with Conditional Access, you can now enforce specific requirements for PIM role activations, enhancing your security posture," the announcement explained.

IT departments can specify Conditional Access for roles based on requiring the use of "modern authentication methods," as well as compliant devices. It's also possible to block activating roles based on "risky user" determinations by the Microsoft Entra ID Protection service.

The licensing requirements to use PIM integration with Conditional Access were not described.