introduction
in previous article : we have seen how to assign eligible privileged role to user , and seen also that user can activate his eligible role by him self without need approval from approver
this article we will see how to force approval workflow to activate eligible role
when to use approval workflow for eligible role
there are some time you need to configure approval workflow for activation eligible privileged role :
- you organization has change management
- external contractor need access approval
PIM approvers license requiremetns
before configure PIM approveal workflow >> we need to know that approvers require one of the following license :
- EMS E5
- Azure AD P2
configure approval work flow for eligible role
first step is to force approval workflow for activation eligible privileged role
log to azure portal as PIM admin
then search for PIM
assign eligible role to user
in previous article we see how to assign eligible role for user abdulla
now we will assign role to hisham
login to azure portal
search for PIM
select exchange role >> eligible assignment >> add assignment
approval workflow
user try to activate role as previous article
but now user hisham will NOT be able to activate his role with him self
insead
activation request will be sent to approvers ( bisa and ahmad )
conclusion
PIM Just in Time (JIT) is great feature that control access to administrative resources
when assign eligible privileged role to user >> he can activate his role when needed
we can configure user to activate his role without need approval from PIM approvers
OR
we can force activation to require approval for more control
next article : we will see how to configure time boundary ro PIM role
thank you
