Microsoft has released a new features for Azure AD Privileged Identity Management (Azure AD PIM).
This feature is currently in preview.
You can now define an approval workflow before any role privileges are granted.
To do so you need to edit the role you want to enable the approval workflow; to do so
- Access the Azure portal (https://portal.azure.com) and go to Azure Privileged Identity Management blade to open the Azure AD Directory Role
- Next, go the Settings section and select Privileged Roles
- Select the role you want to enable for workflow and enable Require Approval and select the approver(s); you can select individuals or groups as approver
Once the approval workflow has been enabled for a role, approver will automatically receive a notification email to manage the request
You can view all your requests and their status from the Azure AD PIM portal
End-users which have been set as eligible for a role can then request to activate the role from the Azure Portal and fill the justification to get the role activated
The approver(s) automatically receive a notification and can then approve/deny the request