graph - How can I see which mechanism granted the user the ability to activate roles via Azure Privileged Identity Management (P

I often use Azure Privileged Identity Management (PIM) to activate roles and wonder which mechanisms make it possible to activate them (group, access package, etc.)

How can I check which mechanisms grant me the ability to activate the roles via PIM?

Besides Entra role-assignable groups, PIM groups, and access packages, are there other mechanisms that may grant the user the ability to activate roles?

The membership column displays "Direct" for each role, without any reference to the mechanism that granted the user the ability to activate the roles:

The membership column links to the Entra role-assignable groups that grant the user the ability to activate the roles:

I often use Azure Privileged Identity Management (PIM) to activate roles and wonder which mechanisms make it possible to activate them (group, access package, etc.)

How can I check which mechanisms grant me the ability to activate the roles via PIM?

Besides Entra role-assignable groups, PIM groups, and access packages, are there other mechanisms that may grant the user the ability to activate roles?

The membership column displays "Direct" for each role, without any reference to the mechanism that granted the user the ability to activate the roles:

The membership column links to the Entra role-assignable groups that grant the user the ability to activate the roles:

• azure
• graph
• microsoft-graph-api
• microsoft-entra-id
• entra

Share Improve this question Follow asked Feb 4 at 8:50 ShuzhengShuzheng 14.2k2929 gold badges121121 silver badges232232 bronze badges 3

• 1 To see which mechanisms grant you the ability to activate roles via Azure PIM, check the Role Assignments section in PIM for your user, where you can see if roles are assigned directly, via role-assignable groups, or through access packages. You can also investigate the Audit logs for additional insights on role activations. – Rukmini Commented Feb 4 at 8:56
• @Rukmini Where do you see this "Role Assigments" section? I don't see it in PIM – Shuzheng Commented Feb 4 at 15:02
• Any update on the issue? – Rukmini Commented Feb 14 at 6:01

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

To know which mechanism granted the user the ability to activate roles via Azure Privileged Identity Management (PIM), check the below:

• One way is to search the role in Microsoft Entra roles and administrators and click on it to see the mechanism granted.
• You can also check My audit history under Microsoft Entra Privileged Identity Management.

For sample, assigned Security Reader role and the membership shows direct:

To check how the mechanism, Go to Microsoft Entra roles and administrators -> Search the role -> Click on the role:

Otherwise, Go to Microsoft Privileged Identity Management -> Activity -> My audit history:

To check the group assignment, I assigned Message Center Reader role to the group:

In Microsoft Entra roles and administrators:

Under My audit history:

If granted by Service principal then, type will be Service Principal: