Creating a role assignment– Planning and Managing Roles in Microsoft 365

You can configure PIM for a role by following this procedure:

1. Navigate to the Azure AD portal (https://portal.azure.com). Enter Identity Governance into the search bar and select the Identity Governance option.
2. Under Privileged Identity Management, select Azure AD roles.
3. Under Manage, select Roles.

Figure 6.13 – Role assignments

4. Select the role you wish to configure an assignment for, such as the Exchange Administrator role.
5. Click Add assignments.
6. On the Membership tab of the Add assignments page, under Select member(s), click No member selected to bring up the Select a member flyout.
7. On the Select a member flyout, choose one or more members and click Select.

Figure 6.14 – Selecting members

8. On the Add assignments page, click Next.
9. On the Setting tab of the assignment page, select an assignment type, such as Eligible. In this instance, if you want users to be eligible to request elevation for the duration of the time period that their account is enabled, select Permanently eligible. Click Assign.

Figure 6.15 – Configuring the assignment type and eligibility duration

10. Click Assign.
    From this point, the users that you have selected can activate their role assignment from the Azure AD portal.
    Reviewing role assignments
    You can review all of the assignments that you’ve created in the Azure AD portal. To view the role assignments, navigate to the Identity Governance blade and then select Azure AD roles | Assignments.

Figure 6.16 – Viewing role assignments
Under the Eligible assignments tab, assignments are listed under their respective Azure AD roles. The Active assignments tab lists individuals with various role assignments, including their end dates and whether they’re permanent.

Figure 6.17 – Viewing active assignments