how to use PIM on Purview Roles?

Question

how to use PIM on Purview Roles?

David Broggy 6,801 MVP

Hi there,

There are 60+ roles in Purview along with the Business Domain roles.

I'd like to use PIM to control access to the privileged roles in Purview.

These roles don't exist in Azure Entra so I'm guessing there's a way to use "PIM for Groups" or something?

https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/concept-pim-for-groups

How is this done?

PRADEEPCHEEKATLA 91,861 Reputation points

2024-08-07T03:45:54.6133333+00:00

@David Broggy - We are reaching out to the internal team to get more information related to your query and will get back to you as soon as we have an update.
PRADEEPCHEEKATLA 91,861 Reputation points

2024-08-13T08:44:44.0133333+00:00

@David Broggy - Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

2 answers

Your answer

PRADEEPCHEEKATLA 91,861 Reputation points

2024-08-07T03:45:54.6133333+00:00

@David Broggy - We are reaching out to the internal team to get more information related to your query and will get back to you as soon as we have an update.
PRADEEPCHEEKATLA 91,861 Reputation points

2024-08-13T08:44:44.0133333+00:00

@David Broggy - Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

PRADEEPCHEEKATLA 91,861

@David Broggy - Thanks for the question and using MS Q&A platform.

Here is the response from the internal team:

Yes, you can have a security group within a Purview role group as a member: and yes, the security groups support PIM for groups. However, when a user is eligible for the group membership and activates the membership, we see that it takes up to 2 hours for their permissions to become effective within Purview, which is a large area of friction as it is not "just in time".
1. We have documented this 2 hour activation delay here
2. We have work item planned this feature soon.
Entra roles which support PIM: There are some roles within Entra that have permissions within Microsoft Purview. a. We document at a high level what entra roles do in Purview here.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

David Broggy 6,801 Reputation points MVP

2024-08-28T22:50:47.6633333+00:00

Thanks Pradeep.

Assuming the 2 hour PIM delay will be fixed in the future, I still don't understand how I can assign Purview roles to PIM for groups. An example, say using a custom role group named PurviewGroup would be appreciated.
PRADEEPCHEEKATLA 91,861 Reputation points

2024-08-30T12:03:52.85+00:00

@David Broggy - Thanks for the additonal details.

We are reaching out to the internal team to get more information related to your query and will get back to you as soon as we have an update.
Grant Coghlan 0 Reputation points

2024-12-16T23:02:34.6733333+00:00

Hi @David Broggy ,
Inside the Purview RBAC Settings for roles you can add users or Groups.
You would need to enable your group for PIM, and then add users as eligible to activate the Group, the group already has the role assigned but we need to wait for the sync between PIM and EXO and then EXO to Purview/Compliance hence the extra delay when users activate the group in PIM.
Anonymous

2025-01-22T20:16:02.2266667+00:00

@PRADEEPCHEEKATLA I'd like to add that in addition to waiting 2hours for permission to become eligble it takes up to 2 hours for permissions to be removed. This is a security concern, if membership is removed it could take up to 2 hours for that member to lose access.
Terry Hugill 21 Reputation points

2025-03-27T11:31:16.82+00:00

I would like to add my vote for a reduction to the two-hour waiting period or the ability to add Purview specific roles to PIM.
Seader, Brian 21 Reputation points

2025-04-21T14:55:49.75+00:00

Been a minute and still looking at 2 hours. Waiting for signs MS is going to prioritize secure by default through more than just words.
Anonymous

2025-05-15T19:33:47.2266667+00:00

Still 2 hour wait time for PIM to take affect. Hoping MS addresses this soon.
Rasheedah Muhammad 21 Reputation points

2025-06-09T00:24:30.44+00:00

This is unacceptable and is still as issue as I confirmed the output with a customer. Microsoft is not 100% prepared for ZT when there are flaws in their own product.
Ayokunmi Ogundapo 0 Reputation points

2025-08-19T18:57:18.5266667+00:00

Hi @PRADEEPCHEEKATLA Is there any update on this? It would be great to see Microsoft extend Privileged Identity Management (PIM) functionality to include Defender and Purview roles or make Defender and Purview RBAC roles permissions available for inclusion in custom Entra roles.

Answer 2

Steven, Scott 0

Hey Microsoft. Has there been any movement on the 2 hour PIM elevation for Purview roles? Its been a couple of years now, can we have that progressed? Thanks

0 comments

Share via

how to use PIM on Purview Roles?

2 answers

Your answer