You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/privileged-identity-management/groups-role-settings.md
+20-5Lines changed: 20 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,17 +10,17 @@ ms.topic: how-to
10
10
ms.tgt_pltfrm: na
11
11
ms.workload: identity
12
12
ms.subservice: pim
13
-
ms.date: 01/12/2023
13
+
ms.date: 01/27/2023
14
14
ms.author: amsliu
15
15
ms.custom: pim
16
16
ms.collection: M365-identity-device-management
17
17
---
18
18
19
19
# Configure PIM for Groups settings (preview)
20
20
21
-
In Privileged Identity Management (PIM) for groups in Azure Active Directory (Azure AD), part of Microsoft Entra, role settings define membership/ownership assignment properties: MFA and approval requirements for activation, assignment maximum duration, notification settings, etc. Use the following steps to configure role settings – i.e., setup the approval workflow to specify who can approve or deny requests to elevate privilege.
21
+
In Privileged Identity Management (PIM) for groups in Azure Active Directory (Azure AD), part of Microsoft Entra, role settings define membership or ownership assignment properties: MFA and approval requirements for activation, assignment maximum duration, notification settings, etc. Use the following steps to configure role settings and setup the approval workflow to specify who can approve or deny requests to elevate privilege.
22
22
23
-
You need to have Global Administrator, Privileged Role Administrator, or group Owner permissions to manage settings for membership/ownership assignments of the group. Role settings are defined per role per group: all assignments for the same role (member/owner) for the same group follow same role settings. Role settings of one group are independent from role settings of another group. Role settings for one role (member) are independent from role settings for another role (owner).
23
+
You need to have Global Administrator, Privileged Role Administrator, or group Owner permissions to manage settings for membership or ownership assignments of the group. Role settings are defined per role per group: all assignments for the same role (member or owner) for the same group follow same role settings. Role settings of one group are independent from role settings of another group. Role settings for one role (member) are independent from role settings for another role (owner).
24
24
25
25
26
26
## Update role settings
@@ -53,14 +53,28 @@ Follow these steps to open the settings for a group role.
53
53
54
54
Use the **Activation maximum duration** slider to set the maximum time, in hours, that an activation request for a role assignment remains active before it expires. This value can be from one to 24 hours.
55
55
56
-
### Require multi-factor authentication (MFA) on activation
56
+
### On activation, require multi-factor authentication
57
57
58
58
You can require users who are eligible for a role to prove who they are using Azure AD Multi-Factor Authentication before they can activate. Multi-factor authentication ensures that the user is who they say they are with reasonable certainty. Enforcing this option protects critical resources in situations when the user account might have been compromised.
59
59
60
60
User may not be prompted for multi-factor authentication if they authenticated with strong credential or provided multi-factor authentication earlier in this session.
61
61
62
62
For more information, see [Multifactor authentication and Privileged Identity Management](pim-how-to-require-mfa.md).
63
63
64
+
### On activation, require Azure AD Conditional Access authentication context (Public Preview)
65
+
66
+
You can require users who are eligible for a role to satisfy Conditional Access policy requirements: use specific authentication method enforced through Authentication Strengths, elevate the role from Intune compliant device, comply with Terms of Use, and more.
1. Configure Conditional Access policy that would enforce requirements for this authentication context.
72
+
1. Configure authentication context in PIM settings for the role.
73
+
74
+
:::image type="content" source="media/pim-for-groups/pim-group-21.png" alt-text="Screenshot of the Edit role settings Member page." lightbox="media/pim-for-groups/pim-group-21.png":::
75
+
76
+
To learn more about Conditional Access authentication context, see [Conditional Access: Cloud apps, actions, and authentication context](../conditional-access/concept-conditional-access-cloud-apps.md#authentication-context).
77
+
64
78
### Require justification on activation
65
79
66
80
You can require that users enter a business justification when they activate the eligible assignment.
@@ -99,7 +113,8 @@ And, you can choose one of these **active** assignment duration options:
99
113
### Require multi-factor authentication on active assignment
100
114
101
115
You can require that administrator or group owner provides multi-factor authentication when they create an active (as opposed to eligible) assignment. Privileged Identity Management can't enforce multi-factor authentication when the user uses their role assignment because they are already active in the role from the time that it is assigned.
102
-
User may not be prompted for multi-factor authentication if they authenticated with strong credential or provided multi-factor authentication earlier in this session.
116
+
117
+
Administrator or group owner may not be prompted for multi-factor authentication if they authenticated with strong credential or provided multi-factor authentication earlier in this session.
0 commit comments