|
1 | 1 | --- |
2 | 2 | title: Create eligible authorizations |
3 | 3 | description: When onboarding customers to Azure Lighthouse, you can let users in your managing tenant elevate their role on a just-in-time basis. |
4 | | -ms.date: 01/05/2024 |
| 4 | +ms.date: 06/03/2024 |
5 | 5 | ms.topic: how-to |
6 | 6 | ms.custom: devx-track-arm-template |
7 | 7 | --- |
8 | 8 |
|
9 | 9 | # Create eligible authorizations |
10 | 10 |
|
11 | | -When onboarding customers to Azure Lighthouse, you create authorizations to grant specified Azure built-in roles to users in your managing tenant. You can also create eligible authorizations that use [Microsoft Entra Privileged Identity Management (PIM)](../../active-directory/privileged-identity-management/pim-configure.md) to let users in your managing tenant temporarily elevate their role. This lets you grant additional permissions on a just-in-time basis so that users only have those permissions for a set duration. |
| 11 | +When onboarding customers to Azure Lighthouse, you create authorizations to grant specified Azure built-in roles to users in your managing tenant. You can also create eligible authorizations that use [Microsoft Entra Privileged Identity Management (PIM)](/entra/id-governance/privileged-identity-management/pim-configure) to let users in your managing tenant temporarily elevate their role. This lets you grant additional permissions on a just-in-time basis so that users only have those permissions for a set duration. |
12 | 12 |
|
13 | 13 | Creating eligible authorizations lets you minimize the number of permanent assignments of users to privileged roles, helping to reduce security risks related to privileged access by users in your tenant. |
14 | 14 |
|
@@ -62,8 +62,6 @@ The role can be any Azure built-in role that is [supported for Azure delegated r |
62 | 62 |
|
63 | 63 | The access policy defines the multifactor authentication requirements, the length of time a user will be activated in the role before it expires, and whether approvers are required. |
64 | 64 |
|
65 | | -<a name='multi-factor-authentication'></a> |
66 | | - |
67 | 65 | #### Multifactor authentication |
68 | 66 |
|
69 | 67 | Specify whether or not to require [Microsoft Entra multifactor authentication](/entra/identity/authentication/concept-mfa-howitworks) in order for an eligible role to be activated. |
@@ -262,8 +260,6 @@ After you onboard a customer to Azure Lighthouse, any eligible roles you include |
262 | 260 |
|
263 | 261 | Each user can elevate their access at any time by visiting the **My customers** page in the Azure portal, selecting a delegation, and then selecting **Manage eligible roles**. After that, they can follow the [steps to activate the role](/entra/id-governance/privileged-identity-management/pim-resource-roles-activate-your-roles) in Microsoft Entra Privileged Identity Management. |
264 | 262 |
|
265 | | -:::image type="content" source="../media/manage-eligible-roles.png" alt-text="Screenshot showing the Manage eligible roles button in the Azure portal."::: |
266 | | - |
267 | 263 | If approvers have been specified, the user won't have access to the role until approval is granted by a designated [approver from the managing tenant](#approvers). All of the approvers will be notified when approval is requested, and the user won't be able to use the eligible role until approval is granted. Approvers will also be notified when that happens. For more information about the approval process, see [Approve or deny requests for Azure resource roles in Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-resource-roles-approval-workflow). |
268 | 264 |
|
269 | 265 | Once the eligible role has been activated, the user will have that role for the full duration specified in the eligible authorization. After that time period, they will no longer be able to use that role, unless they repeat the elevation process and elevate their access again. |
|
0 commit comments