|
| 1 | +--- |
| 2 | +title: Activate eligible Azure role assignments (Preview) - Azure RBAC |
| 3 | +description: Learn how to activate eligible Azure role assignments in Azure role-based access control (Azure RBAC) using the Azure portal. |
| 4 | +author: rolyon |
| 5 | +manager: amycolannino |
| 6 | +ms.service: role-based-access-control |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 06/27/2024 |
| 9 | +ms.author: rolyon |
| 10 | +--- |
| 11 | + |
| 12 | +# Activate eligible Azure role assignments (Preview) |
| 13 | + |
| 14 | +> [!IMPORTANT] |
| 15 | +> Azure role assignment integration with Privileged Identity Management is currently in PREVIEW. |
| 16 | +> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. |
| 17 | +
|
| 18 | +Eligible Azure role assignments provide just-in-time access to a role for a limited period of time. Microsoft Entra Privileged Identity Management (PIM) role activation has been integrated into the Access control (IAM) page in the Azure portal. If you have been made eligible for an Azure role, you can activate that role using the Azure portal. This capability is being deployed in stages, so it might not be available yet in your tenant or your interface might look different. |
| 19 | + |
| 20 | +## Prerequisites |
| 21 | + |
| 22 | +- Microsoft Entra ID P2 license or Microsoft Entra ID Governance license |
| 23 | +- [Eligible role assignment](./role-assignments-portal.yml#step-6-select-assignment-type-(preview)) |
| 24 | +- `Microsoft.Authorization/roleAssignments/read` permission, such as [Reader](./built-in-roles/general.md#reader) |
| 25 | + |
| 26 | +## Activate group membership (if needed) |
| 27 | + |
| 28 | +If you have been made eligible for a group ([PIM for Groups](/entra/id-governance/privileged-identity-management/concept-pim-for-groups)) and this group has an eligible role assignment, you must first activate your group membership before you can see the eligible role assignment for the group. For this scenario, you must activate twice - first for the group and then for the role. |
| 29 | + |
| 30 | +For steps on how to activate your group membership, see [Activate your group membership or ownership in Privileged Identity Management](/entra/id-governance/privileged-identity-management/groups-activate-roles). |
| 31 | + |
| 32 | +## Activate role using the Azure portal |
| 33 | + |
| 34 | +These steps describe how to activate an eligible role assignment using the Azure portal. |
| 35 | + |
| 36 | +1. Sign in to the [Azure portal](https://portal.azure.com). |
| 37 | + |
| 38 | +1. Click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource. |
| 39 | + |
| 40 | +1. Click the specific resource. |
| 41 | + |
| 42 | +1. Click **Access control (IAM)**. |
| 43 | + |
| 44 | +1. Click **Activate role**. |
| 45 | + |
| 46 | + The **assignments** pane appears and lists your eligible role assignments. |
| 47 | + |
| 48 | + :::image type="content" source="./media/role-assignments-eligible-activate/activate-role.png" alt-text="Screenshot of Access control page and Activate role assignments pane." lightbox="./media/role-assignments-eligible-activate/activate-role.png"::: |
| 49 | + |
| 50 | +1. Add a check mark next to a role you want to activate and then click **Activate role**. |
| 51 | + |
| 52 | + The **Activate** pane appears with activate settings. |
| 53 | + |
| 54 | +1. On the **Activate** tab, specify the start time, duration, and reason. If you want to customize the activation start time, check the **Custom activation start time** box. |
| 55 | + |
| 56 | + :::image type="content" source="./media/role-assignments-eligible-activate/activate-role-settings.png" alt-text="Screenshot of Activate pane and Activate tab that shows start time, duration, and reason settings." lightbox="./media/role-assignments-eligible-activate/activate-role-settings.png"::: |
| 57 | + |
| 58 | +1. (Optional) Click the **Scope** tab to specify the scope for the role assignment. |
| 59 | + |
| 60 | + If your eligible role assignment was defined at a higher scope, you can select a lower scope to narrow your access. For example, if you have an eligible role assignment at subscription scope, you can choose resource groups in the subscription to narrow your scope. |
| 61 | + |
| 62 | + :::image type="content" source="./media/role-assignments-eligible-activate/activate-role-scope.png" alt-text="Screenshot of Activate pane and Scope tab that shows scope settings." lightbox="./media/role-assignments-eligible-activate/activate-role-scope.png"::: |
| 63 | + |
| 64 | +1. When finished, click the **Activate** button to activate the role with the selected settings. |
| 65 | + |
| 66 | + Progress messages appear to indicate the status of the activation. |
| 67 | + |
| 68 | + :::image type="content" source="./media/role-assignments-eligible-activate/activate-role-status.png" alt-text="Screenshot of Activate pane that shows activation status." lightbox="./media/role-assignments-eligible-activate/activate-role-status.png"::: |
| 69 | + |
| 70 | + When activation is complete, you see a message that the role was successfully activated. |
| 71 | + |
| 72 | + Once an eligible role assignment has been activated, it will be listed as an active time-bound role assignment on the **Role assignments** tab. For more information, see [List Azure role assignments using the Azure portal](./role-assignments-list-portal.yml#list-role-assignments-at-a-scope). |
| 73 | + |
| 74 | +## Next steps |
| 75 | + |
| 76 | +- [Integration with Privileged Identity Management (Preview)](./role-assignments.md#integration-with-privileged-identity-management-preview) |
| 77 | +- [Activate my Azure resource roles in Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-resource-roles-activate-your-roles) |
0 commit comments