{"id":68731,"date":"2023-07-24T11:43:41","date_gmt":"2023-07-24T19:43:41","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=68731"},"modified":"2024-02-23T11:37:26","modified_gmt":"2024-02-23T19:37:26","slug":"set-up-pim-access-in-azure-devops","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/set-up-pim-access-in-azure-devops\/","title":{"rendered":"Set up PIM access in Azure DevOps"},"content":{"rendered":"<p>Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables users to manage, control, and monitor access to important resources in an organization. Azure DevOps is a key resource for any organization as it stores Application Lifecycle Management artifacts (code, work item, pipelines, packages, test data etc.) of an Organization.<\/p>\n<p>Hence, key roles like Project Collection Admin must not be available forever with anyone and access needs to be enabled on a need basis for certain period of time. This article details the steps to be performed to enable Project Collection Admin access for users in Azure DevOps. Other admin roles like Project Admin, Build Admin etc. can follow same steps.<\/p>\n<h2>Pre-requisite<\/h2>\n<ul>\n<li>Azure DevOps must be integrated with Azure Active Directory which is the key to enable PIM.<\/li>\n<\/ul>\n<h2>Steps<\/h2>\n<p>1&#46; Login to <a href=\"https:\/\/portal.azure.com\">https:\/\/portal.azure.com<\/a>. Search for Azure Active Directory and click on the same. Select the Groups from left pane and click on Add to create a security group.\u00a0<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/SuccessfulPIMEnablement4.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/CreatePCA2.png\" alt=\"Image CreatePCA2\" width=\"748\" height=\"914\" class=\"alignnone size-full wp-image-68734\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/CreatePCA2.png 748w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/CreatePCA2-246x300.png 246w\" sizes=\"(max-width: 748px) 100vw, 748px\" \/><\/a><\/p>\n<p>2&#46; Once the group is created, click on the group and select Privileged Identity Management and click on Enable Azure AD PIM for this group button as shown below.\u00a0<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/EnablePIM3.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/EnablePIM3.png\" alt=\"Image EnablePIM3\" width=\"1301\" height=\"737\" class=\"alignnone size-full wp-image-68737\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/EnablePIM3.png 1301w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/EnablePIM3-300x170.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/EnablePIM3-1024x580.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/EnablePIM3-768x435.png 768w\" sizes=\"(max-width: 1301px) 100vw, 1301px\" \/><\/a><\/p>\n<p>3&#46; This will deploy PIM successfully for the group.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/SuccessfulPIMEnablement4.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/SuccessfulPIMEnablement4.png\" alt=\"Image SuccessfulPIMEnablement4\" width=\"1916\" height=\"751\" class=\"alignnone size-full wp-image-68743\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/SuccessfulPIMEnablement4.png 1916w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/SuccessfulPIMEnablement4-300x118.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/SuccessfulPIMEnablement4-1024x401.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/SuccessfulPIMEnablement4-768x301.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/SuccessfulPIMEnablement4-1536x602.png 1536w\" sizes=\"(max-width: 1916px) 100vw, 1916px\" \/><\/a><\/p>\n<p>4&#46; Now select Eligible assignments tab and click on Add assignments to assign user (Demo User) to the group who can activate the PIM.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/ElgibleAssignment5.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/ElgibleAssignment5.png\" alt=\"Image ElgibleAssignment5\" width=\"951\" height=\"738\" class=\"alignnone size-full wp-image-68749\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/ElgibleAssignment5.png 951w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/ElgibleAssignment5-300x233.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/ElgibleAssignment5-768x596.png 768w\" sizes=\"(max-width: 951px) 100vw, 951px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/AddAssignment6.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/AddAssignment6.png\" alt=\"Image AddAssignment6\" width=\"801\" height=\"914\" class=\"alignnone size-full wp-image-68754\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/AddAssignment6.png 801w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/AddAssignment6-263x300.png 263w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/AddAssignment6-768x876.png 768w\" sizes=\"(max-width: 801px) 100vw, 801px\" \/><\/a><\/p>\n<p>5&#46; Once PIM is assigned, click on settings and click on Member -> Edit to add an Approver who would be eligible to approve the PIM request.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Addapprover11.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Addapprover11.png\" alt=\"Image Addapprover11\" width=\"1044\" height=\"907\" class=\"alignnone size-full wp-image-68756\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Addapprover11.png 1044w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Addapprover11-300x261.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Addapprover11-1024x890.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Addapprover11-768x667.png 768w\" sizes=\"(max-width: 1044px) 100vw, 1044px\" \/><\/a><\/p>\n<p>6&#46; Now, the PIM set up is complete in Azure AD and we need to add the security group\u00a0 \u00a0 for\u00a0which PIM is enabled to Project Collection Administrators role in Azure DevOps.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/PCArole12.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/PCArole12.png\" alt=\"Image PCArole12\" width=\"1839\" height=\"540\" class=\"alignnone size-full wp-image-68758\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/PCArole12.png 1839w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/PCArole12-300x88.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/PCArole12-1024x301.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/PCArole12-768x226.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/PCArole12-1536x451.png 1536w\" sizes=\"(max-width: 1839px) 100vw, 1839px\" \/><\/a>\u00a0 \u00a0<\/p>\n<p>This completes the overall PIM set up process and next step is to validate the PIM.<\/p>\n<h2>Validate<\/h2>\n<p>1&#46; The Demo User who has the PIM enabled needs to login to Azure portal and search for Azure AD Privileged Identity Management and click on the same. Select Groups from left pane and then click on the security group for which PIM is enabled.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Demouser13.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Demouser13.png\" alt=\"Image Demouser13\" width=\"1908\" height=\"514\" class=\"alignnone size-full wp-image-68760\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Demouser13.png 1908w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Demouser13-300x81.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Demouser13-1024x276.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Demouser13-768x207.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Demouser13-1536x414.png 1536w\" sizes=\"(max-width: 1908px) 100vw, 1908px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Activate14.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Activate14.png\" alt=\"Image Activate14\" width=\"1748\" height=\"514\" class=\"alignnone size-full wp-image-68762\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Activate14.png 1748w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Activate14-300x88.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Activate14-1024x301.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Activate14-768x226.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Activate14-1536x452.png 1536w\" sizes=\"(max-width: 1748px) 100vw, 1748px\" \/><\/a><\/p>\n<p>2&#46; User needs to Activate PIM with appropriate reason.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Activate15access.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Activate15access.png\" alt=\"Image Activate15access\" width=\"748\" height=\"541\" class=\"alignnone size-full wp-image-68764\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Activate15access.png 748w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Activate15access-300x217.png 300w\" sizes=\"(max-width: 748px) 100vw, 748px\" \/><\/a><\/p>\n<p>3&#46; Once request is raised, a notification is sent to Approver. The approver can click on the link\u00a0 or login to Azure -> PIM -> Approve Requests -> Groups and select User to be approved.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Approverequest16.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Approverequest16.png\" alt=\"Image Approverequest16\" width=\"1883\" height=\"578\" class=\"alignnone size-full wp-image-68766\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Approverequest16.png 1883w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Approverequest16-300x92.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Approverequest16-1024x314.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Approverequest16-768x236.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Approverequest16-1536x471.png 1536w\" sizes=\"(max-width: 1883px) 100vw, 1883px\" \/><\/a><\/p>\n<p>4&#46; Now the approver (assuming that user is a Project Collection Admin) can login to Azure DevOps -> Organization Settings -> Permissions -> Project Collection Admin to check if the user (Demo User) is added to the security group and is reflecting ( just for the demo, here we show that user is available in the group. Generally user can login and check as in step 5)<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/OrgAdmin18.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/OrgAdmin18.png\" alt=\"Image OrgAdmin18\" width=\"1489\" height=\"514\" class=\"alignnone size-full wp-image-68768\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/OrgAdmin18.png 1489w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/OrgAdmin18-300x104.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/OrgAdmin18-1024x353.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/OrgAdmin18-768x265.png 768w\" sizes=\"(max-width: 1489px) 100vw, 1489px\" \/><\/a><\/p>\n<p>5&#46; Now user can login to Azure DevOps and validate PCA permissions by going to Organization Settings -> Policies under security. Here user is allowed to enable and disable policies which is generally allowed for a Project Collection Admin role.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Enabled19.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Enabled19.png\" alt=\"Image Enabled19\" width=\"1906\" height=\"755\" class=\"alignnone size-full wp-image-68770\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Enabled19.png 1906w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Enabled19-300x119.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Enabled19-1024x406.png 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Enabled19-768x304.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2024\/02\/Enabled19-1536x608.png 1536w\" sizes=\"(max-width: 1906px) 100vw, 1906px\" \/><\/a><\/p>\n<h2>Note<\/h2>\n<p>1&#46; This process of PIM enablement works for members of an organization and not for guest users.<\/p>\n<p><em>Hope this helps users to secure Azure DevOps in their Organizations. Do leave your comments in case of any queries.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables users to manage, control, and monitor access to important resources in an organization. Azure DevOps is a key resource for any organization as it stores Application Lifecycle Management artifacts (code, work item, pipelines, packages, test data etc.) of an Organization. [&hellip;]<\/p>\n","protected":false},"author":148586,"featured_media":68734,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[253,1],"tags":[],"class_list":["post-68731","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure-devops-server","category-devops"],"acf":[],"blog_post_summary":"<p>Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables users to manage, control, and monitor access to important resources in an organization. Azure DevOps is a key resource for any organization as it stores Application Lifecycle Management artifacts (code, work item, pipelines, packages, test data etc.) of an Organization. [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/68731","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/148586"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=68731"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/68731\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/68734"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=68731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=68731"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=68731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}