Updating subscription role settings for PIM to require approver

Question

Updating subscription role settings for PIM to require approver

MrFlinstone 686

I am looking for the documentation on how to set an approver using powershell for a subscription role that uses PIM for groups.

In this scenario, there is a PIM group setup for a subscription role using the eligible configuration, now I would like to add approvers to the configuration. Do I edit the role settings (contributor) in this case or the group settings to configure it such that it requires an approver ?

Any example of the PowerShell or API call would be appreciated.

1 answer

Your answer

Answer 1

Goutam Pratti 4,985 Microsoft External Staff Moderator

Hello @MrFlinstone ,

To set an approver for a subscription role that uses Privileged Identity Management for groups, you will need to edit the role settings for the specific role rather than the group settings. Role settings in PIM define properties such as approval requirements for activation, and these settings are specific to the role assigned to the group.

Additionally, you want to set an approver using powershell or API for the PIM for groups Check Update rules in PIM using Microsoft Graph in there you have section Example 3: Require approval to activate where explains how to structure params section to be used with Update-MgPolicyRoleManagementPolicyRule

User's image

For detailed steps on how to manage role settings and set up the approval workflow, you may want to refer to the Microsoft Entra documentation.

Hope this information helps. Let us know if you have any additional queries. Happy to assist you further.

Goutam Pratti 4,985 Reputation points Microsoft External Staff Moderator

2025-05-09T22:15:14.05+00:00

Hello @MrFlinstone ,

following upto see if the above response is helpful. Let me know if you have any additional queries.
MrFlinstone 686 Reputation points

2025-05-12T13:52:46.1166667+00:00

Thank you for this, how would one update notification alerts for Entra roles, not subscription roles this time ?
Goutam Pratti 4,985 Reputation points Microsoft External Staff Moderator

2025-05-12T21:30:31.9766667+00:00

Hello @MrFlinstone ,

To update notification alerts for Entra roles you can follow this document: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts
MrFlinstone 686 Reputation points

2025-05-12T21:32:49.0466667+00:00

Is there a way to do this using PowerShell ?
Goutam Pratti 4,985 Reputation points Microsoft External Staff Moderator

2025-05-13T00:19:15.68+00:00

Hello @MrFlinstone ,

Yes, you can create it using PowerShell, but since it's currently in preview, using it may lead to unexpected results. Therefore, I recommend updating notification alerts for Entra roles directly through the Azure portal.

For additional information you can follow: https://learn.microsoft.com/en-us/graph/how-to-pim-alerts?tabs=http

Hope this let us know if you have any additional queries.Happy to assist you further.
Goutam Pratti 4,985 Reputation points Microsoft External Staff Moderator

2025-05-13T21:36:27.7433333+00:00

Hello @MrFlinstone ,

following upto see if the above response is helpful.Let us know if you have any additional queries. Happy to assist you further.
Goutam Pratti 4,985 Reputation points Microsoft External Staff Moderator

2025-05-14T21:32:21.31+00:00

Hello @MrFlinstone ,

following upto see if the above response is helpful.Let us know if you have any additional queries. Happy to assist you further.

Share via

Updating subscription role settings for PIM to require approver

1 answer

Your answer