Skip to content

Roleassignments Add User To Administrator

Azure AD Privileged Identity Management: How to add or remove a user role

With Azure Active Directory (AD), a global administrator (or company administrator) can update which users are permanently assigned to roles in Azure AD. This is done with PowerShell cmdlets like and . Or they can use the Azure portal as described in assigning administrator roles in Azure Active Directory.

The Azure AD Privileged Identity Management application allows privileged role administrators to make permanent role assignments, as well. Additionally, privileged role administrators can make users eligible for admin roles. An eligible admin can activate the role when they need it, and then their permissions expire once they're done.

Manage roles with PIM in the Azure portal

In your organization, you can assign users to different administrative roles in Azure AD, Office 365, and other Microsoft services and applications. More details on the available roles can be found at Roles in Azure AD PIM.

To add or remove a user in a role using Privileged Identity Management, bring up the PIM dashboard. Then either click the Users in Admin Roles button, or select a specific role (such as Global Administrator) from the roles table.

If you want to give another user access to PIM itself, the roles which PIM requires the user to have are described further in how to give access to PIM.

Add a user to a role

  1. In the Azure portal, select the Azure AD Privileged Identity Management tile on the dashboard.
  2. Select Manage privileged roles.
  3. In the Role summary table, select the role you want to manage.
  4. In the role blade, select Add.
  5. Click Select users and search for the user on the Select users blade.
  6. Select the user from the search results list, and click Done.
  7. Click OK to save your selection. The user you have selected will appear in the list as eligible for the role.

Note

New users in a role are only eligible for the role by default. If you want to make the role permanent, click the user in the list. The user's information will appear in a new blade. Select Make perm in the user information menu.
If a user cannot register for Azure Multi-Factor Authentication (MFA), or is using a Microsoft account (usually @outlook.com), you need to make them permanent in all their roles. Eligible admins are asked to register for MFA during activation.

Now that the user is eligible for a role, let them know that they can activate it according to the instructions in How to activate or deactivate a role.

Remove a user from a role

You can remove users from eligible role assignments, but make sure there is always at least one user who is a permanent global administrator.

Follow these steps to remove a specific user from a role:

  1. Navigate to the role in the role list either by selecting a role in the Azure AD PIM dashboard or by clicking on the Users in Admin Roles button.
  2. Click on the user in the user list.
  3. Click Remove. A message will ask you to confirm.
  4. Click Yes to remove the role from the user.

If you're not sure which users still need their role assignments, then you can start an access review for the role.

Next steps

The Directory API lets you use role-based access control to manage user access to features in your domain. You do this by managing privileges and roles and their assignment to users.

Overview

A privilege is necessary to perform certain tasks and operations in a domain. A role is a collection of privileges (of possibly different services like the Users service, Chrome, and so on) that grants users with that role the ability to perform certain tasks or operations. A role assignment is a record of a particular role given to a user.

The methods in this guide can be used to create roles and manage role assignments for users in a domain. The general process involves using the following three resources:

  • The privileges resource is used to get a list of supported privileges in the domain.
  • The roles resource is used to create new roles or get existing roles.
  • The roleAssignments resource is used to assign a role to a user in the domain.

Get supported privileges

To get a list of supported privileges, use the following GET request and include the authorization described in Authorize requests.

  • If you are an administrator getting privileges in your own domain, use as the customer ID.

  • If you are reseller getting privileges for one of your customers, use the customer ID returned by the Retrieve a user operation.

Request

GET https://www.googleapis.com/admin/directory/v1/customer//roles/ALL/privileges

Response

A successful response returns an HTTP 200 status code. Along with the status code, the response returns the privileges supported in the domain:

Get existing roles

To get a list of existing roles, use the following GET request and include the authorization described in Authorize requests.

  • If you are an administrator getting roles in your own domain, use as the customer ID.

If you are reseller getting roles for a customer, use the customer ID that you got using the Retrieve a user operation.

Request

GET https://www.googleapis.com/admin/directory/v1/customer//roles

Response

A successful response returns an HTTP 200 status code. Along with the status code, the response returns the roles that exist in the domain:

Create a role

To create a new role, use the following POST request and include the authorization described in Authorize requests. Add a and for each privilege that should be granted with this role. For the request and response properties, see the API Reference:

Request

POST https://www.googleapis.com/admin/directory/v1/customer//roles { "roleName": "My New Role", "rolePrivileges": [ { "privilegeName": "USERS_ALL", "serviceId": "00haapch16h1ysv" }, { "privilegeName": "GROUPS_ALL", "serviceId": "00haapch16h1ysv" } ] }

Response

A successful response returns an HTTP 201 status code. Along with the status code, the response returns the properties for the new role:

Create a role assignment

To assign a role to a user, use the following POST method and include the authorization described in Authorize requests. Add a JSON body with the user_id of the user, which you can get from users.get(), and the roleId as described in Get existing roles.

Request

POST https://www.googleapis.com/admin/directory/v1/customer//roleassignments { "roleId": "3894208461012995", "assignedTo": "100662996240850794412", "scopeType": "CUSTOMER" }

Response

A successful response returns an HTTP 201 status code. Along with the status code, the response returns the properties for the new role assignment:

Assign Admin Console UI roles

To assign roles for users that will access their privileges through the Admin Console UI, certain extra privileges may need to be granted. For example, to grant a user the ability to create other users through the Admin Console UI, not only is the privilege required but also the and privileges. The following table is an exhaustive list mapping the Admin Console UI functionality to the corresponding required privilege grants.

Admin Console UI FunctionalityPrivileges Needed
Organizational Units - Read
Organizational Units - Create +
Organizational Units - Update +
Organizational Units - Delete +
Organizational Units
Users - Read +
Users - Create + +
Users - Update +
Users - Move Users + +
Users - Rename Users + +
Users - Reset Password + +
Users - Force Password Change + +
Users - Add/Remove Aliases + +
Users - Suspend Users + +
GROUPS
Security - User Security Management + +