Unit 6: Exercise – Assign Azure resource roles in Privileged Identity Management
In this unit, you learn how to assign Azure resource roles using Microsoft Entra Privileged Identity Management (PIM).
Unlike Microsoft Entra directory roles, Azure resource roles apply to subscriptions, management groups, resource groups, or individual Azure resources.
Using PIM for Azure resources ensures:
- Just-in-time access.
- Reduced standing privilege.
- Strong auditing and governance of critical cloud resources.
Azure resource roles supported by PIM
PIM can manage:
- Built-in Azure roles.
- Custom Azure roles.
Common examples include:
- Owner.
- User Access Administrator.
- Contributor.
- Security Admin.
- Security Manager.
Part 1: Discover and onboard Azure resources into PIM
Before assigning Azure roles, the resource must be onboarded into PIM.
Step 1: Open Privileged Identity Management
- Sign in to the Microsoft Entra admin center as a tenant administrator.
- Search for Privileged Identity Management.
- Select Microsoft Entra Privileged Identity Management.
Step 2: Open Azure resources in PIM
- In the left navigation, select Azure resources.
This section is used only for Azure RBAC roles, not Microsoft Entra roles.
Step 3: Discover Azure resources
- On the top menu, select Discover resources.
The discovery experience shows:
- Subscriptions.
- Management groups.
- Resources you have permission to manage.
Step 4: Select and onboard a subscription
- In the Azure resources – Discovery screen:
- Select your subscription.
- On the top menu, select Manage resource.
Step 5: Confirm onboarding
- In the Onboarding selected resource for management dialog:
- Review the information.
- Select OK.
This action:
- Brings the resource under PIM management.
- Enables role assignments via PIM workflows.
- When onboarding completes, close the Discovery screen.
Part 2: Assign an Azure resource role (Eligible)
Step 6: Open the onboarded resource
- In the Azure resources list, select the resource you just added.
This opens the resource overview page.
Step 7: View available Azure roles
- In the left navigation, under Manage, select Roles.
This displays:
- All Azure RBAC roles available for the selected resource.
Step 8: Add a new role assignment
- On the top menu, select + Add assignments.
Step 9: Select role and member
- In the Add assignments dialog:
- Select Select role.
- Choose API Management Service Contributor.
- Under Select member(s), select No member selected.
- In the Select a member or group pane:
- Choose a user from your organization.
- Select Next.
Step 10: Configure assignment type and duration
- On the Settings tab, review Assignment type options:
- Eligible:
- User must activate the role.
- Activation may require MFA, approval, and justification.
- Role expires automatically.
- Active:
- Role is always active.
- Higher security risk.
- Select Eligible.
Step 11: Configure assignment duration
- Optionally adjust:
- Start date.
- End date.
This controls how long the user remains eligible.
Step 12: Complete the assignment
A status notification confirms that the role assignment was created successfully.
Part 3: Update or remove an Azure resource role assignment
Step 13: Open role assignments
- In Privileged Identity Management, select Azure resources.
- Select the resource you want to manage.
- In the left navigation, select Assignments.
Step 14: Review eligible assignments
- Select the Eligible roles tab.
- Review available actions in the Action column.
Step 15: Remove a role assignment
- Select Remove next to the assignment.
- In the Remove dialog box:
- Review the information.
- Select Yes.
The role assignment is removed immediately.
Key differences: Azure roles vs Microsoft Entra roles (exam focus)
| Area | Microsoft Entra roles | Azure resource roles |
|---|
| Scope | Directory-wide | Subscription / resource |
| Managed in PIM section | Microsoft Entra roles | Azure resources |
| Requires onboarding | No | Yes |
| RBAC model | Entra RBAC | Azure RBAC |
| Common examples | Global Admin | Owner, Contributor |
Key exam takeaways
- Azure resources must be onboarded into PIM before role assignment.
- Eligible assignments are preferred over active.
- PIM supports built-in and custom Azure roles.
- Role activation is time-bound and auditable.
- Owner and User Access Administrator roles should always be protected by PIM.