sap workflow role assignment

Workflow: Remote Role Assignment

This topic describes the activities that must be performed by administrators on a producer and consumer portal to enable remote role assignment from a consumer portal.

For more information about this content usage mode, see 'Remote Role Assignment' Mode .

Prerequisites

You have completed the post-installation and basic configuration steps on each portal. The portals must be fully operational.

You have fulfilled the minimal prerequisites for implementing FPN in your landscape. For more information, see Prerequisites .

The user bases of the portals adhere to the requirements described in User Persistence .

The following table lists the sequence of activities performed by administrators on the producer and consumer portals.

Some activities need to be performed by the producer before the consumer can proceed and vice versa. Steps marked with the same number in both columns indicate that the steps can be performed by the producer and the consumer in any order or in parallel.

It is assumed that both portals are running the same SAP NetWeaver release.

If you are connecting your SAP NetWeaver portal to an SAP NetWeaver portal running a different release, do not use the respective documentation links provided in the table below. Instead, refer to the FPN documentation for that release on SAP Help Portal at help.sap.com .

For example, you can find documentation for implementing a federated portal network in an SAP NetWeaver 7.0 environment with SAP enhancement package 1 at http://help.sap.com/saphelp_nw70ehp1/helpdata/en/5b/9f2d4293825333e10000000a155106/frameset.htm . Remember that the SAP Library documentation on SAP Help Portal always reflects the latest SAP NetWeaver support package stack that has been released to customers.

• February 27, 2023

Sara Sampaio

• Technical Articles

With the aim of making workflow configuration simpler, SAP S/4HANA developed a brand-new concept called Flexible Workflow. It is advised that we make use of S/4HANA’s new Flexible Workflow feature.

The preset workflow scenarios and tasks form the foundation of the flexible workflow. This gives users the ability to specify condition-based workflow for various system activities.

SAP provides many such adaptable scenarios in procurement, Settlement Management, Sales etc. However, in many scenarios we don’t get many options when it comes to choosing an approver or agent and standard capabilities like Workflow Initiator or Manager based on HR Hierarchy don’t help with specific, dynamic business requirements.

In order to accomplish that, I have written this blog article to handle an Agent Determination scenario for Condition Contract Release Flexible Workflow which utilize a Custom Responsibility Rule.

Introduction

In the Condition Contract Flexible Workflow scenario, the Standard template provides only one option for setting up the Workflow Approver–the Workflow Initiator Rule. This option isn’t suitable because the Workflow Initiator and Approver can’t both be the same in any Implementation requirement.

In this blog, I will show you how to create and configure a custom responsibility rule to determine the workflow agent for a task.

Pre-requisites

• The Flexible workflow configuration has been done and is already working (not part of this blog.

Create Custom Responsibility Rule

1. badi implementation.

We should first implement the BADI RSM BADI STATIC RULE where we will write our code to obtain the Agent based on custom logic before moving forward with building Custom Responsibility Rule using the “Manage Responsibility Rule” App.

Please be aware that it is a Limited Filter Use BADI and that in order to correctly activate it, a Filter value must be provided in the BADI Implementation.

The exporting parameter ET AGENTS in this BADI Implementation Class allows us to enter the agent selected using custom logic. I’ve provided a sample example for your use.

2. Manage Responsibility Rules App

Be sure to complete the following prerequisites before moving on to this step:

You have assigned the  SAP_BR_ADMINISTRATOR  role to your user ID in the development system.

You have implemented the  RSM_BADI_STATIC_RULE  Badi with appropriate filter value.

Select the Custom tab from Manage Responsibility Rules Application on Fiori, then click Create.

The “Create” button will prompt you for the package and transport request where you want to lock this rule after you click it. Make sure the BADI filter value set in the previous step matches the Custom Rule name before entering the Custom rule name and its description otherwise you will not be able to save it.

Create a parameter using the “Create” button under the Parameter tab and provide the parameter’s name, description, type, and related CDS view. The CDS view and field must be entered if the parameter type is Element. A CDS view should be chosen if the parameter type is Table or Structure. Only whitelisted CDS views are permitted.

Please take a note that adding a CDS view here enables us to obtain information about Condition Contracts from the BADI Implementation Class and use it to create custom logic.

After saving it, we may finish creating the Custom Responsibility rule, but wait—this is where I had an A-ha! moment.

Although we have already put the BADI into use and developed the custom rule, we have not yet assigned it to our Standard workflow scenario and that’s where we are going to utilize the next app ‘Manage Responsibility Contexts’.

Configure Custom Responsibility Rule

With the  Manage Responsibility Contexts  app, you can use the list of standard responsibility contexts delivered by SAP application teams for agent determination.

You can also extend a standard responsibility context by adding your custom responsibility rule to determine agents that are responsible for your business process tasks, objects, and situation handling.

1. Extending Responsibility Contexts

You have assigned the  SAP_BR_ADMINISTRATOR  role to your user in the development system.

You have created a custom responsibility rule in the  Manage Responsibility Rules  app.

Choose Extend from this app’s menu after choosing the standard responsibility context and Standard Workflow Scenario ID. Please be aware that if a standard responsibility context has previously been extended, the Extend button will not be available.

The “Extend” button will prompt you for the package and transport request where you want to lock this rule after you click it. Once you provide these information, we get the next screen with the extended responsibility context.

2. Assigning the Agent Rule to Responsibility Context

We have the ability to link the Custom Responsibility rule to our workflow scenario by assigning it to the Extended Responsibility context under the Agent Rule tab. If you notice the Parent Context ID, it is the Standard Workflow scenario.

Here, you can give the agent decision rule a custom responsibility rule. Choose the right custom responsibility rule from the Responsibility Rule ID value help to reveal the parameters for the responsibility rule.

Once it is done, enter a constant value or pick a CDS field from the Data Source value help for each parameter.

Once you save it, it will start showing under Extended tab of Manage Responsibility Context app and also in SWDD_SCENARIO.

It will be visible in the Manage Workflows for Condition Contracts application in addition to the workflow scenario. This rule can be chosen in the step receiver option, and when choosing the step’s agent, it will apply.

I’ll end my blog article here. My focus is on including all necessary steps in this blog article so that it can be helpful to others as well.

I referred and followed the SAP Help Portal documentation to achieve this requirement and below are the direct links:

https://help.sap.com/docs/SAP_S4HANA_ON-PREMISE/8308e6d301d54584a33cd04a9861bc52/ec1b8c8f44394c959e02b41c51affd9d.html?q=BAdI%20for%20custom%20agent%20rules%20in%20Responsibility%20Management

If you’d like to ask questions, share feedback and thoughts, please use the comment section and/or post questions in the SAP S/4HANA Cloud community and follow me for further blogs.

Sign In Now

Forgot password.

It's Free to Sign Up and Get Started.

I want to start as:.

I have read and understood the Terms and Conditions of SAPSPACES.com SAPSPACES will use any of the data provided hereunder in accordance with the Privacy Policy. Terms & Conditions

Notification detail

Using Workflows for Purchase Requisition

After completing this lesson, you will be able to:

• Define and manage workflows for purchase requisitions

Workflows for Purchase Requisitions

Flexible workflow for purchase requisitions.

The flexible workflow for purchase requisitions allows you to define one-step or multi-step approval processes for purchase requisitions according to your requirements. Approvers can then approve or reject corresponding work items in the SAP Fiori app My Inbox .

Options for the approval of purchase requisitions:

Overall release: The entire purchase requisition is approved. This type of approval is also referred to as header-level approval.

Release of purchase requisition items: The items of a purchase requisition are approved individually. This type of approval is also referred to as item-level approval.

You can define the workflow scenarios for each of the options for regular purchase requisitions and for central purchase requisitions if you are using Central Procurement respectively.

Watch the following video to learn how to use the Flexible Workflow for Purchase Requisitions.

Workflow Configuration for Purchase Requisitions

You can adjust the default settings, if required.

By default, for purchase requisitions, the flexible workflow is active for the document types NB (standard purchase requisition) and NBS. For type NBS, the overall release is defined.

For self-service requisitioning, the default document type is NB, unless you define a different document type in the app Default Settings for Users . For the document type NB, item-level approval is defined. So by default, purchase requisitions are approved at the item level, and the approval is performed automatically.

Workflow Definition for Purchase Requisitions

The main activities for defining workflows are done in the app Manage Workflows for Purchase Requisitions . This is a mandatory step for using flexible workflows for purchase requisitions.

Role Configuration Expert - Business Process Configuration (SAP_BR_BPC_EXPERT) is required for defining the workflows.

Using the app Manage Workflows for Purchase Requisitions , you create the workflows, define the preconditions, assign recipients, define the order in which the preconditions are checked, and activate or deactivate the workflows.

As soon as the start preconditions for a workflow are met, this workflow is used. Defining the order ensures that only one workflow is started, even if several workflows have matching start preconditions.

If none of the start preconditions are met, the active default workflow Automatic Approval of PR is used, provided that it is active.

If you define your own default workflow, you must ensure that it is positioned at the end of the defined order and that it is active.

The following table shows the roles and the apps that are used in the business process.

Business Process

You can define the Start Conditions for a workflow, which determines when a particular workflow should be picked up. The preconditions that you can select are determined based on whether the workflow is for the overall release or an item-level release of a purchase requisition.

• In the Start Conditions section, you can choose, for example, Company Code of Purchase Requisition for the overall release of purchase requisitions. Note that this precondition is applicable only if all items of the purchase requisition have the same company code. In the case of limit items, if the start condition of the workflow is based on the net amount or total net amount, the expected value of the limit item is considered. You can configure additional preconditions using BAdIs Providing Additional Conditions for Scenarios and Value Evaluation of Additional Conditions for Scenarios in the Custom Fields and Logic app. You can add multiple preconditions, if required. The workflow starts only if all the preconditions are satisfied.

Manage Workflows for Purchase Requisitions

• Use of class-based workflow scenarios in the Manage Workflows for Purchase Requisitions SAP Fiori app for approval of purchase requisitions.
• Support for several new features, such as workflow simulation for purchase requisitions.
• Ability to add deadlines for identifying the workflows that are overdue for pending approval.
• Use of the Edit and approve purchase requisition option in the My Inbox SAP Fiori app to enable relevant approvers to partially edit some purchase requisitions while they are in the approval process.
• Deadline monitoring for the purchase requisition workflow.
• Determination of the workflow initiator's manager for approval process in the Purchase Requisitions Line Item approval scenario.
• Send email notifications when a purchase requisition is approved or rejected, by choosing the required email template and the recipient in the Workflow Notifications section. In the list of recipient roles that can be selected, you also have the Workflow Initiator role.
• Choose Responsibility Management teams as recipient roles while adding workflow steps to the workflows corresponding to the scenarios for overall release.

Review Activities in Purchase Requisition Approval Workflow

Define the reviewers or people responsible for monitoring the progress of the workflow. You can also define the corresponding step conditions and deadlines. When a workflow is started, all the reviewers are notified. The reviewers can then track the progress of the workflow.

Make use of an additional option Exclude Restricted Agents Determined by BAdI that is available under Exclude Restricted Agents

• Monitoring the Progress of PR Approval Workflow through the Workflow Lifecycle
• Multiple Reviewers with different step conditions/agent determination rules
• Simple to configure Reviewer Steps
• Deadlines can be configured for reviewer tasks
• Approval workflow step conditions and agent determination rules are available for reviewer steps configuration
• Reviewers receive notifications on the reviewer tasks
• Approval details show the reviewers who have received the reviewer task
• Reviewer task is also restarted when Approval Workflow is restarted

It is possible to skip a step in flexible workflow for purchase requisitions. For example:

• You can mark one or more steps as optional.
• If a step is skipped, the system continues with the next step.
• The workflow history log provides detailed information on skipped steps, for example, the agent could not be determined, but the workflow should continue.

Create, read, update, and delete material and service limit items using the Purchase Requisition OData API. Configuration experts can define workflows for Purchase Requisitions containing limit items.

• Improved integration to include enhanced limit items using the Purchase Requisition OData API, for example, from an external system.
• Enhance Purchase Requisition workflow for limit items.
• ExpectedOverallLimitAmount - The amount expected to be spent on the limit item.
• OverallLimitAmount - The maximum amount that can be spent on the limit item.
• If the start condition of the workflow is based on the net amount or the total net amount, the expected value of the limit item is considered.

You can define workflows for purchase requisitions containing limit items. If the start condition of the workflow is based on the net amount or the total net amount, the expected value of the limit item is considered.

Choose to exclude restricted agents from being approvers of the purchase requisitions created by them.

On choosing the option Exclude Requestors in Exclude Restricted Agents , requestors/creators of purchase requisition will not receive requisitions created by them for approval in their inbox.

The Exclude Requestors option is not relevant for automatic release of purchase requisitions.

After exclusion, if no recipients are determined, the workflow moves to error, unless the step is marked as optional.

Deadline Monitoring for the Purchase Requisition Workflow

You can define the deadline by which the step should be completed, beyond which an overdue notification is sent to the approver. The workflow deadline can be specified in minutes, hours, days, or workdays.

Workdays are determined based on the factory calendar. The factory calendar can be defined using the BAdI -Determination of Factory Calendar for Workflow Deadline (MMPUR_PROC_WF_FACTORY_CALENDAR). If there is no custom logic defined, all days of the week are considered workdays.

Edit and Approve Purchase Requisitions

You can view and edit fields in the purchase requisition, for header and item level approval. Approvers can change the account assignment for purchase requisitions with header level approval. You can view and edit header notes.

You can extend the application by adding custom fields and adapting the UI.

You can choose decision reasons before making a decision on the requisition.

You can view the web service ID and the material and edit the delivery date for header and item level approval.

• Account Assignment Category
• Distribution Indicator
• Account Assignment Details

View and edit limit items in purchase requisitions.

Choose the document type while adding attachments to purchase requisition items. You can choose either For Internal Use or For External Use based on whether the communication is intended for internal or external stakeholders.

View details of the Review Steps, if any, under Approval Details. This contains the list of reviewers or people responsible for monitoring the progress of the workflow.

As an approver, you can edit the contact information (Purchasing Group, Requisitioner) of the purchase requisition, if required. This is applicable for both header and item level approval.

• Improved process efficiency through availability enablement of direct edit.
• Reduced time and effort due to maintenance of precise/correct purchasing group and requisitioner.
• Applicable for both header and item level approval.

My Inbox - Approve Purchase Requisitions

You can use the My Inbox app to make important decisions with mobile or desktop devices anywhere and anytime. Using the app My Inbox, you can approve, reject, or request rework of purchase requisitions.

You can view the purchase requisition header or item object page embedded in My Inbox app.

You can view and download GOS attachments in workflow items corresponding to the scenario Overall Release of Purchase Requisition. GOS attachments are the attachments that have been added to the purchase requisition using the Create Purchase Requisition - Advanced app.

Inquiry in the Approval Process of Purchase Requisition Documents Through Workflows

Configure workflows with step type Overall Release of Reworkable PR and Release of Reworkable PR Item to enable approvers to send back purchase requisitions or items to requestors for rework. Configure the resultant action for Rework Requested exception as Repeat Step, Restart Workflow or Continue

On configuring workflows with step type Overall Release of Reworkable PR or Release of Reworkable PR Item , purchase requisitions or items that are subject to these workflows can be sent for rework.

The resultant action after rework can be configured as follows:

• Repeat Step - The same workflow step is repeated.
• Restart Workflow - The workflow starts again from the beginning.
• Continue - The workflow continues with the subsequent step.

Restart Flexible Workflow Triggered by Changes

Critical changes made to an existing purchase requisition re-triggers the workflow. You can change the default conditions according to your business requirements to determine if the restart of the approval workflow should be triggered. You can maintain this in the following ways.

You can overwrite the default conditions that control the restart of the approval workflow for purchase requisitions using the configuration app Manage Conditions to Restart Flexible Workflow in the Manage Your Solution app. Using this configuration app, the restart of Purchase Requisitions approval can be stopped for specific attributes.

Column SS Proc. is applicable for purchase requisitions created from the self service purchase requisitions app Create Purchase Requisition . By default, the attributes relevant for self-service procurement are selected and editable. The attributes that are not editable indicate that they are not applicable for self-service procurement. These are purchase requisitions with creation indicator, ESTKZ = S , that is, self-service procurement

Column Prf. Proc. is for Purchaser role is applicable for the purchase requisitions created from the Create Purchase Requisition Advanced and Manage Purchase Requisition Professional apps. By default, the attributes relevant for professional procurement are selected and editable. The attributes that are not editable indicate that they are not applicable for professional procurement. These are purchase requisitions with creation indicator, ESTKZ = R , that is, Realtime (manual).

You can deselect the attributes that on change should not restart the approval workflow.

To decide which critical changes lead to a restart, you can create an implementation using Business Add-In (BAdI) Define Conditions to Restart Flexible Workflow in the Custom Fields and Logic app.

You can use BAdI Define Conditions to Restart Flexible Workflow ( MM_PUR_S4_PR_WFL_RESTART) to further control the restart approval workflow based on attribute values. Create an implementation in Define Conditions to Restart Flexible Workflow using the Custom Fields and Logic app. An example implementation is provided for reference with the BAdI. This BAdI can be used to influence the approval restart of purchase requisitions with any creation indicator.

Example: There is no need to restart the approval of purchase requisitions for a particular plant. Assume the plant is 'ABCD'. The following code snippet can be implemented using the Custom Fields and Logic app.

Code snippet Copy code IF PURCHASEREQITEMSCURR-PLANT = 'ABCD'. "Purchase requisition plant CLEAR RESTARTWORKFLOW. ENDIF. Expand

Log in to track your progress & complete quizzes

• About AstraZeneca

Life at AstraZeneca

• Our Locations
• Information Technology
• BioPharmaceuticals
• BioPharmaceuticals R&D
• International
• Enabling functions
• Oncology R&D
• Early Talent

Inclusion & Diversity

• Application Hints & Tips

Keyword Search

City, State, or ZIP

Lead Consultant – SAP Procure to Pay (SAP Material Management)

Job Title - Lead Consultant – SAP Procure to Pay (SAP Material Management)

Career Level - E

SAP Experience               : 10- 15 Years

Location                            : chennai.

Do you have expertise in, and passion for, information technology? Would you like to apply your expertise to impact the IT strategy in a company that follows the science and turns ideas into life changing medicines? If so, AstraZeneca might be the one for you!

ABOUT ASTRAZENECA

AstraZeneca is a global, science-led, patient-focused biopharmaceutical company that focuses on the discovery, development and commercialisation of prescription medicines for some of the world’s most serious disease. But we’re more than one of the world’s leading pharmaceutical companies. At AstraZeneca we’re dedicated to being a Great Place to Work.

ABOUT OUR TECHNOLOGY TEAM

It’s a dynamic and results-oriented environment to work in – but that’s why we like it. There are countless opportunities to learn and grow, whether that’s exploring new technologies in hackathons, or redefining the roles and work of colleagues, forever. Shape your own path, with support all the way. Diverse minds that work cross- functionally and broadly together.

ABOUT THE PROGRAM:

Axial is a strategic multi-year business transformation program helping AstraZeneca achieve its 2030 Bold Ambition. Axial will deliver the new backbone for our innovation, growth, and performance, and the technology driving Axial is SAP S/4HANA and its Business Technology Platform(s).

The Axial Technology team actively partners with our business colleagues to deliver cutting-edge technology capabilities to fulfil AstraZeneca’s bold ambition of delivering life changing medicines to patients. Our ambition is to provide best-in-class expertise and leadership in technological solutions and Information Delivery that empowers our colleagues in the field and accelerates and improves strategic decision-making for a diverse range of partners. The team engages with some of the most exciting business areas within AstraZeneca and is faced with solving for a variety of complex business and IT challenges.

Introduction to Role: As an S/4HANA Materials Management Lead Consultant (SAP MM), you will be part of a wider SAP S/4HANA IT team that will lead on defining the IT and data solution that will support the global standardised business process. This is an exciting opportunity to be part of a team that is transforming our ability to develop life-changing medicines.

Accountabilities : You will be responsible for ensuring integration between business process definition, SAP solution definition and SAP data objects definition. You will create the solution documentation that defines the global standard solution and ensures that it is fully and effectively tested in line with AZ testing standards. You will work with stakeholders to ensure agreement with the design and support the passage of the solution design through the appropriate governance forums. 

Essential Skills/Experience:

• Expertise in the respective business domain and on SAP MM with S/4 HANA.
• SAP MM implementation experience from design to completion of deployment.
• Certification in specific SAP S/4HANA – Sourcing and Procurement.
• Track record of delivering SAP configuration design.
• Strong knowledge in Business process Configuration.
• Rich knowledge on interface solutions with ECC and Third-Party Systems.
• Knowledge on latest S/4 technologies and functionalities 
• Good knowledge on SAP MM integration with FI, CO, SD, PP, QM & PM functions.
• Good knowledge of Tolling and Inter/Intra company processes.
• Knowledge on classic Business workflow and S/4 Flexible workflow.
• Experience of Pharmaceutical supply chain business activities and the required business outcomes within the relevant capability area
• Knowledge of new SAP technologies and functionalities 
• Good stakeholder management and communication skills with Business and IT areas
• Strong team player able to work across the program team and communicate in business and IT terms
• Comfortable with ambiguity and possessing an agile and open mindset.
• Self-motivated with the ability to prioritise effectively to ensure project goals are achieved.
• Strong skills in business operations, communications, customer and partner engagement, and internal stakeholder management
• Confident to challenge the status quo and facilitate different perspectives to drive solutions.
• Able to manage large work efforts and meet challenging deadlines
• Demonstrated personal credibility and positive energy
• Able to think out of the box, thrive in ambiguous and stressful situations
• Innovative capabilities, agile mindset requiring strategic thinking and foresight.

Desirable Skills/Experience:

• Knowledge on SAP EWM, TM and SAP ABAP Debugging
• Data Migration with SAP S/4HANA Migration Cockpit.
• Knowledge on EML, SAP Activate Methodologies, SAP Best Practices for SAP S/4HANA
• Exposure to testing tools
• Knowledge on SAP ADM
• Involved in S/4 stage 3 Prototype, Participated in F2S scenario building in S/4.
• Involved in S/4 EWM POC and good knowledge in S/4 Fiori APPs relevant to the core MM.
• MDG Integration and master data elements like Material master & business partner.
• Jira and Solution Manager for handling Change Management process as a User
• A track record of delivering SAP configuration designs for supply chain modules
• Worked in a hybrid environment with a mix of internal and external resources in multiple geographical locations
• Knowledge of non-SAP technologies in the relevant line of business eg Coupa P2P & AP, Workday & Bottomline.
• Expertise on SAP Fiori Apps and Embedded Analytics related to MM functions.

Education Background

- Engineering Graduate or Postgraduate from reputed University

WHY JOIN US?

We’re a network of high-reaching self-starters who contribute to something far bigger. We enable AstraZeneca to perform at its peak by delivering premier technology and data solutions.

We’re not afraid to take ownership and run with it. Empowered with unrivalled freedom. Put simply, it’s because we make a significant impact. Everything we do matters.

SO, WHAT’S NEXT?

Are you already envisioning yourself joining our team? Good, because we’d love to hear from you! Click the link to apply and we’ll be in touch as soon as we can.

WHERE CAN I FIND OUT MORE?

Our Social Media, Follow AstraZeneca on LinkedIn https://www.linkedin.com/company/1603/

We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, sex, gender, gender expression, sexual orientation, age, marital status, veteran status, or disability status

AstraZeneca embraces diversity and equality of opportunity. We are committed to building an inclusive and diverse team representing all backgrounds, with as wide a range of perspectives as possible, and harnessing industry-leading skills. We believe that the more inclusive we are, the better our work will be. We welcome and consider applications to join our team from all qualified candidates, regardless of their characteristics. We comply with all applicable laws and regulations on non-discrimination in employment (and recruitment), as well as work authorization and employment eligibility verification requirements.

We’ll keep you up-to-date

Sign up to be the first to receive job updates.

Email Address

Confirm Email

We are AstraZeneca, one of the world’s most forward-thinking and connected BioPharmaceutical companies. Explore our world.

At AstraZeneca, our purpose is to help patients all over the world by delivering life-changing medicines as one collaborative team.

The success of AstraZeneca is founded on innovation, creativity and diversity. Discover what this means for you.

Great culture, great work assignments, supportive management. Rotation opportunity within the company. They value inclusion and diversity.

Subscribe for Practical 365 updates

Please turn off your ad blocker and refresh the page to subscribe.

You may withdraw your consent at any time. Please visit our Privacy Statement for additional information

Blog / Microsoft 365 / Microsoft Entra ID

Leveling up privileged identity management with approvals.

Table of Contents

Don’t Assign Privileged Roles without Oversight

Privileged Identity Management (PIM) is a component of Microsoft Entra ID that allows organizations to exert granular control and monitoring for highly privileged user accounts. PIM enables roles to leverage Just-in-Time (JIT) privileges for access to Azure and Microsoft Entra resources. Although PIM has been around for several years, many environments still fail to leverage its true benefits.

In another article, Mike Parker covers how PIM controls the activation of eligible assignments . Here, I cover how PIM uses a powerful role setting to require approval prior to account activation. Implementing this control creates a workflow that could stop attackers in their tracks even after they’ve succeeded in compromising administrative credentials.

Implementation

When viewing membership from both the user and role perspective, assignments are split into three tabs, Eligible, Active, and Expired. To take advantage of the JIT features of PIM, members added to roles must use the eligible assignment type. When a user has an eligible assignment for a role, they must activate the role before permissions are applied to the session…

After a role utilizes eligible membership, an administrator must modify the role settings to require approval to activate, as seen in Figure 1. The administrator then selects approvers unless the default approvers (Privileged Role Administrators and Global Administrators) are acceptable. The list of approvers supports the use of both Users and Groups of all types. This includes guest accounts and security and Microsoft 365 groups.

Notifications should utilize default recipients for Admin, Requestor, and Approver to “Send notifications when eligible members activate this role”. These settings ensure that:

• Approvers receive notifications for activation requests.
• Admins receive notifications that the activation request was approved.
• Requestors receive notifications that the activation request was approved.

Additional recipients can also be used instead of, or in addition to, the default recipients. Figure 2 shows the available notification options.

These are the only required steps to configure a role to require approval. The workflow from the requestor and approver perspective is equally as simple.

Once a user is granted an eligible assignment for a role, they can “Activate” the assignment. In doing so, they initiate the activation workflow. The requestor must adhere to any additional activation requirements configured in the role setting. Figure 1 displays other activation settings such as requiring justification or Azure MFA. From there, the activation request sends a notification to the mailbox of all configured approvers. At this point, the activation is in a pending state.

Any of the approvers can Approve or Deny the request in the Entra admin center Approve requests blade. Approving or Denying requests requires the approver to provide a justification for their decision. Upon approval, all approvers receive another email identifying who reviewed the request. Finally, the requestor is notified of the approval.

Once all stages of the workflow are complete, access is granted to the requestor. The activated assignment appears under the requestor’s Active assignments tab with a state of “Activated”. Figure 3 shows the difference between a role that has been elevated and one always assigned to be in the active state.

If permissions associated with the newly activated role are not immediately applied, the Troubleshooting Recently Activated Permissions in Privileged Identity Management article may be helpful.

The approval process lifecycle provides monitoring opportunities in addition to the added layer of security. Identity Governance audit logs capture details for the addition of new members to roles, modification of role settings, and activating an eligible assignment. They also log the full approval lifecycle including the reason for an activation request and the justification provided by the approver. Figure 4 shows this workflow. Starting at the bottom, Lee requests PIM activation, Brandon approves the request, and the MS-PIM actor adds Lee to the role.

The PIM resource audit logs hold similar details and include a “My audit” option that provides details related only to the logged-in user. Additional audit information is available using the access reviews feature but this solution requires an ID Governance license . 

Leveling Up

The setting to require approval from a manager or colleague arguably adds the highest level of security surrounding account activation. Requiring approval utilizes a sort of rocket launch double-check as it requires a second account (or human) to grant permissions. Most other PIM settings do very little to provide additional security when attempting to determine the difference between an account owner and an adversary elevating an account’s permissions.

Implementation of an approval workflow for the highest privileged roles encourages administrators to use roles appropriate to the task. There is very little reason for members of Global Administrators to regularly log into admin center. Assigning multiple roles to administrative personnel, utilizing varying levels of account protections, is one method to achieve the least privilege.

Finally, it is important to note that the use of PIM does not replace the need for other security measures. Utilizing dedicated administrative accounts and workstations helps to provide segmentation and protects against phishing attacks. Implementing conditional access policies are imperative to increase overall security posture by requiring MFA , enforcing trusted locations/devices, and limiting actions when risk conditions are present. Continuing to add layers of security to Entra accounts and applications is truly how to level up.

About the Author

Brandon Colley

Leave a reply cancel reply, latest articles.

Practical Protection: Copying Microsoft’s Secure Future Initiative

Microsoft recently released a memo from Security VP, Charlie Bell. In this blog, we recap the memo and discuss some of the new security initiatives Microsoft is working towards.

In this blog, Brandon Colley reviews how to use PIM approvals to create a workflow that could stop attackers in their tracks, even if they have already compromised credentials.

Exchange Server Roadmap, New MS AI model on the way & Entra ID MFA: The Practical 365 Podcast S4 E19

On this week's episode, Paul and Steve cover several major Microsoft announcements impacting the future of AI, Exchange Server, and identity solutions.