I'm curious if there's any benefit to creating a role-assignable group where I assign a single Entra role, then add users to that group via Privileged Identity Management (PIM). Is this only a good idea if the group can bundle multiple roles? I think I would need to keep the group permanently active for the assigned roles and just make users eligible to join via PIM. What are your thoughts?
4 Answers
We actually bundle several roles into our groups—like Global Reader, Intune, Security, and so on. For our small team, it's been quite effective. Users are made eligible, and we enforce MFA, though we're looking into more robust authentication methods. It’s a constant challenge to keep our tenant secure.
Even if you’re only assigning one role, it’s still useful to use role-assignable groups with PIM. It keeps management clean since the role is assigned to the group rather than the user directly.
Using role-assignable groups makes sense primarily for bundling admin roles or permissions that aren't confined to admin tasks. For a single admin role, I wouldn't bother—it’s easier just to elevate a user directly to that role.
If the group isn’t under tight control, helpdesk staff might unintentionally add users to it. You need to be careful about who gets added, especially if they can assign roles.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures