Summary

This will walk you through the process to create Privileged Identity Management (PIM) groups that can be activated for your Defender XDR Roles.

Requirements

• Every user who is eligible for membership in or ownership of a PIM for Groups must have a Microsoft Entra ID P2 or Microsoft Entra ID Governance license.
• Defender License

Deployment

Setting Up Entra groups

1. Navigate to Entra
2. Click New group in the Groups blade.

3. Provide your group with a name and description per your organization requirements. Please Note there are no members in this group

4. Open the group once its created and click on Privileged Identity Management

5. Click On Enable PIM for this group

6. Select Eligible assignments then Add Assignments

7. Select the role as member and select the user(s) you want to add as eligible for this group, then click next.

8. For assignment type you can either do Eligible or Active. We will be doing Eligible. The default timeframe is one year, this is great where you can temporarily assign someone or have a audit review of the groups and whatever access they have following the Least Privilege model. Once you assign settings are done, click assign.

9. You should now see the assignment for the user with the start and end time of the eligibility.

Assign Entra Group to Defender URBAC roles

1. Navigate to Defender XDR
2. Go to System > Permissions > Microsoft Defender XDR > Roles

3. Select a role that you have created. We will be using a MDE Reader role in this example.

4. Select Add new assignment

5. Add the Assignment name(I generally use the group name) and then select the new PIM group we created.

6. Your group should appear under assignments

Activating PIM Group

1. From the user account that you added to the group above, navigate to Entra
2. Scroll down to ID Governance > Privileged Identity Management > Select Groups > Eligible Assignments

3. Select Activate to enable the group and thus enabling the Defender XDR Roles.

4. You will have to wait for the account to be assign, it should appear like this when done.

5. If you navigate to Active Assignments, you should see the active group with the end time of the timeframe specified.

References

• Assign eligibility for a group in Privileged Identity Management
• Activate your group membership or ownership in Privileged Identity Management
• Microsoft Entra ID Governance licensing fundamentals