Azure PIM Provisioning Policy for Microsoft Entra ID Groups

To assign a PIM role to an Microsoft Entra ID group, you must create a new security or Microsoft 365 group with the isAssignableToRole property set to true. In the Azure portal, set the Entra ID roles can be assigned to the group option to Yes during creation of the group. One or more Azure/ Microsoft Entra ID PIM roles can then be assigned to the group in the same way that roles are assigned to users.

Note
You need to add a group schema for PIM attribute objects to aggregate Microsoft Entra ID PIM Roles during group aggregation for an existing application.

Role-assignable groups have the following restrictions:

  • Only the isAssignableToRole property or the Entra ID roles can be assigned to the group option can be set for new groups.

  • The isAssignableToRole property is immutable. Once a group is created with this property set, it cannot be changed.

  • An existing group cannot be made into a role-assignable group.

  • A maximum of 500 role-assignable groups can be created in a single Microsoft Entra ID organization (tenant).

To fetch the groups’ attribute "isAssignableToRole", add the following in the group schema:

Copy
<AttributeDefinition name="isAssignableToRole" type="string">             
    <Description>isAssignableToRole</Description>
</AttributeDefinition>

To create a group that can be assigned to an Microsoft Entra ID role, the attribute isAssignableToRole must be added in the "Create group" policy:

Copy
<Field displayName="isAssignableToRole" helpKey="isAssignableToRole" 
name="isAssignableToRole" type="boolean"/>

Sample Provisioning Request:

Copy
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan targetIntegration="AzureAD-PIM" trackingId="3a3d098429f44f7d8625e5e151bfcf16">
    <Attributes>
        <Map>
            <entry key="requester" value="spadmin"/>
            <entry key="source" value="GroupManagement"/>
        </Map>
    </Attributes>
    <ObjectRequest application="AzureAD-PIM" op="Create" type="group">
        <AttributeRequest name="displayName" op="Set" value="SustGroupPim-3"/>
        <AttributeRequest name="mailNickname" op="Set" value="SustGroupPim-3"/>
        <AttributeRequest name="description" op="Set" value="SustGroupPim-3"/>
        <AttributeRequest name="groupTypes" op="Set" value="Security"/>
        <AttributeRequest name="teamsEnabled" op="Set">
            <Value>
                <Boolean></Boolean>
            </Value>
        </AttributeRequest>
        <AttributeRequest name="addOwnerAsMember" op="Set">
            <Value>
                <Boolean>true</Boolean>
            </Value>
        </AttributeRequest>
        <AttributeRequest name="isAssignableToRole" op="Set">
            <Value>
                <Boolean>true</Boolean>
            </Value>
        </AttributeRequest>
        <AttributeRequest name="azureADActiveRoles" op="Add" value="cf1c3**5-3621-4004-a7cb-879624dced7c">
            <Attributes>
                <Map>
                    <entry key="duration" value="PT2H"/>
                </Map>    
            </Attributes>
        </AttributeRequest>
    </ObjectRequest>
</ProvisioningPlan>

To update a group that can be assigned Microsoft Entra ID PIM roles, the attribute isAssignableToRole must be added in the "Update group" policy as read-only:

Copy
<Field displayName="isAssignableToRole" helpKey="isAssignableToRole"       
name="isAssignableToRole" type="boolean">
    <Attributes>
        <Map> <entry key="readOnly" value="true"/></Map>
    </Attributes>
</Field>

Sample Provisioning Request

Copy
<!DOCTYPE ProvisioningPlan PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningPlan targetIntegration="AzureAD-PIM" 
trackingId="5d49ff88ae6c4063bd6103b8116cadc8">
    <Attributes>
        <Map>
            <entry key="requester" value="spadmin"/>
            <entry key="source" value="GroupManagement"/>
        </Map>
    </Attributes>
    <ObjectRequest application="AzureAD-PIM" nativeIdentity="a5e0c4ee-****
-4811-aa6e-1aa4d91b1caa" op="Modify" type="group">
        <AttributeRequest name="azureActiveRoles" op="Add" value="/subscriptions/3bbb####c8
-c792-4c43-9b4a-8c37b523cbf4/resourceGroups/NetworkWatcherRG:d17ce0a2-0697-43bc-aac5
-9113337ab61c">
            <Attributes>
                <Map>
                    <entry key="duration" value="P180D"/>
                </Map>
            </Attributes>
        </AttributeRequest>
    </ObjectRequest>
</ProvisioningPlan>

Note
While adding the PIM roles to Groups, the native identity (unique identifier) of the role must be fetched from the "Entitlement Catalog" by viewing the value of the intended PIM role. Additionally, it is assumed that the group aggregation is performed prior to assigning/removing PIM roles from the existing role assignable group during the operation of "Update Group".