Unit 5: Exercise – Assign Microsoft Entra roles in Privileged Identity Management

In this unit, you learn how to assign Microsoft Entra administrative roles using Privileged Identity Management (PIM). Instead of granting permanent access, PIM allows administrators to assign roles as eligible, requiring users to activate them only when needed.

This approach significantly reduces standing privilege and improves security.

Why role assignment in PIM matters

By default, Microsoft Entra ID allows permanent role assignments, meaning:

• Privileges are always active.
• Compromised accounts immediately expose high-risk access.
• Auditing and oversight are limited.

PIM changes this model by introducing:

• Just-in-time activation.
• Approval workflows.
• MFA enforcement.
• Automatic expiration.

Part 1: Assign a Microsoft Entra role (Eligible assignment)

Objective

Make a user eligible for the Compliance Administrator role instead of permanently assigning it.

Step 1: Open Privileged Identity Management

• Sign in to the Microsoft Entra admin center as a tenant administrator.
• In the search bar, search for Privileged Identity Management.
• Select Microsoft Entra Privileged Identity Management.

Step 2: Navigate to Microsoft Entra role assignments

• In the left navigation, select Microsoft Entra roles.
• On the Quick start page, select Roles from the left navigation.

This page shows all directory roles that can be assigned through PIM.

Step 3: Add a new role assignment

• On the top menu, select + Add assignments.

This opens the Add assignments wizard.

Step 4: Select the role and member

• On the Membership tab, review the settings.
• Select Select role, then choose Compliance Administrator.
• Use the Search role by name filter if needed.
• Under Select member(s), select No members selected.
• In the Select a member pane:
• Choose your administrator account.
• Select Select.

Step 5: Configure assignment type

• Select Next.
• On the Settings tab, review Assignment type options:
• Eligible (default):
• User must activate the role.
• Activation may require MFA, approval, and justification.
• Permissions expire automatically.
• Active:
• Role is permanently active.
• No activation required.
• Higher security risk.
• Leave the default Eligible assignment selected.

Step 6: Complete the assignment

• Review the remaining settings.
• Select Assign.

The user is now eligible for the Compliance Administrator role.

Part 2: Activate a Microsoft Entra role

Eligible users must activate a role before using its privileges.

Step 7: Open My roles

• In Privileged Identity Management, select My roles from the left navigation.
• Review the list of eligible role assignments.

Step 8: Activate the role

• In the Compliance Administrator row, select Activate.

Step 9: Complete security verification

• In the Activate – Compliance Administrator pane:
• Select Additional verification required.
• Complete the MFA or security verification process.
• This verification is required once per session.

Step 10: Provide justification and activate

• In the Reason box, enter a business justification.
• Select Activate.

The role is now temporarily active and will expire automatically based on role settings.

Part 3: Assign a role with restricted scope

Some Microsoft Entra roles support scoped assignments, limiting permissions to a specific boundary.

Step 11: Start a scoped assignment

• Go to Privileged Identity Management → Microsoft Entra roles.
• Select + Add assignments.
• Select the role User Administrator.

Step 12: Review scope options

• Select Scope type.
• Review available options:
• Directory (default).
• Administrative unit.
• Application or service principal (role-dependent).

Exam note: Administrative units allow delegation without granting tenant-wide permissions.

• Select Directory for this exercise.
• Select Cancel to exit without completing the assignment.

Part 4: Update or remove an existing role assignment

Step 13: View current assignments

• In Microsoft Entra roles, select Assignments from the left navigation.
• Locate Compliance Administrator in the list.

Step 14: Update an assignment

• In the Action column, select Update.
• Review available membership and assignment options.
• Close the pane without making changes.

Step 15: Remove an assignment

• In the Action column, select Remove.
• In the confirmation dialog, review the details.
• Select Yes.

The role assignment is removed immediately.

Key concepts to remember for the exam

• Eligible assignments are preferred over permanent (active) assignments.
• Activation can require MFA, justification, and approval.
• Role activation is time-bound.
• Scoped role assignments reduce blast radius.
• PIM significantly reduces standing privilege risk.