Troubleshooting Recently Activated Permissions in Privileged Identity Management

Why Won’t My Permission Load After Using PIM

You just activated the Exchange admin role (or any other role) via Privileged Identity Management (PIM), but the Microsoft portal still indicates that you have insufficient permissions to perform your task. Don’t panic; this blog will help you to load freshly activated permissions faster.

What is Privileged Identity Management?

PIM allows administrators to be eligible to use permissions when activated instead of having the permissions always actively assigned to their accounts. To activate a permission, administrators go through a PIM process. How and when the PIM process is performed might affect how fast the permissions are picked up and become available in Microsoft portals (for example, Exchange Online portal, security portal, or Azure portal).

If you’re unfamiliar with PIM, Mike Parket’s blog post covering how to get started with PIM does a great job explaining the fundamentals.

Activating a PIM role

When an administrator activates an administrative role via PIM (Figure 1), they request a new access token from Azure AD that includes the permissions for the role (see this related article to learn more about access tokens). When PIM refreshes the access token, it refreshes the current browser tab. This is a critical step because it ensures that the permissions granted in the new token become active to allow the user to perform administrative tasks dependent on those permissions. This is a big improvement over the early days of Privileged Identity Management when users had to sign out and back in again to load a new set of permissions.

When administrative roles are behind the approval mechanism of PIM–meaning that first another user must approve the requested permissions–the refresh mechanism isn’t visible as it happens in the background. Furthermore, administrators might encounter that their new privileges aren’t correctly loaded in the portals due to tokens not being recognized properly.

Quick tips for speeding permissions updates from Privileged Identity Management

While PIM automatically updates the session permissions, you might notice that the requested permissions aren’t available. Here are a couple of tips to help speed permission loading.

Use the same tab

Use the same tab where you performed the Privileged Identity Management process. This browser tab is automatically renewed and will work perfectly within the Azure portal. Closing all browser tabs can help ensure you work with the permissions granted in the new token. Does the permission apply outside of the Azure portal (for example, security.microsoft.com), and using the same tab didn’t work? Then try the next tip.

Make sure it’s your first visit

If you have visited a portal (for example, security.microsoft.com) before you activated the role. You might find that the permissions won’t load instantly. The different Microsoft portals often have difficulty recognizing the new token with the higher privileges. If you perform your PIM before visiting the portal for the first time, the chances are higher that the portal will load the new access token containing the permissions. But then again, you can’t always predict which permissions you need to perform an administrative task.

Private window

You could try signing out and closing all browsers to start afresh. However, using a Private/Incognito window is the best way to start with a clean slate. As the browser has no cached data from previous visits and the authentication flow is completely new, this method has the highest chance of success in loading the access token with the permissions.

Just wait

If it’s the very first time you activate some permissions and previous steps didn’t work, you might just need to wait it out. Sometimes it just takes time for permissions to load even though you work with a fresh browser session. From experience, I notice that Azure AD roles tend to load faster than the more specific compliance center roles.

Conclusion

Nothing is more frustrating than waiting for your permissions to load from Privileged Identity Management (PIM). With these tips, I hope administrators have their freshly activated permissions replicated faster in the portal.  Using the private window is one of the best ways to start immediately after the activation. After all, a good security tool should have a good balance between productivity and security.