![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 44%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 36%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETL%3C/text%3E%3C/svg%3E)
Dear Morgan,
I can see that your group GRP_ACCESS_N1_PIM has several permanent active directory roles (Privileged Authentication, Global Reader, and LAPS Custom Role). From your description, the configuration seems correct, but the issue occurs when eligible members activate their Just-In-Time (JIT) access and the group-based roles are not reflected on their profile. Let’s go step by step to isolate the cause:
1.Confirm the role assignment type: Group-based PIM role assignments apply only when the group itself (not the user) is activated with the role. Members must be active in the group and the group must have active eligible roles.
2.Check group activation type: If your group is configured as eligible for PIM roles, ensure it’s set as an Assignable Group under Azure AD → Groups → Properties → Azure AD roles can be assigned to the group = Yes.
3.Verify activation sequence:
- Step 1: The user activates their membership in the PIM group (JIT).
- Step 2: The group’s role assignments propagate after Azure AD refresh (can take up to 15 minutes).
- Step 3: The user’s token must refresh (log out/in or run
klist purgein PowerShell).
4.Check if group assignment is active at directory level:
- Go to Azure AD → Privileged Identity Management → Azure AD Roles → Groups (tab) and confirm the group’s state is Active, not Eligible.
5.Token propagation delay: After elevation, users might not immediately see role effects. Have them sign out of all sessions, wait about 10–15 minutes, then sign back in.
6.Validate role visibility: In PowerShell, run Get-AzureADDirectoryRole | Get-AzureADDirectoryRoleMember and confirm if the user appears as an active member under the role after group elevation.
7.Check conditional access policies or directory role filters that might block group-based role resolution (common in secured tenants).
8.Cross-verify license prerequisites: Ensure PIM-eligible users have Azure AD Premium P2 licenses assigned; otherwise, JIT activation may not apply correctly.
9.If group-based roles never propagate, try a test: assign the same role directly to a user via PIM and compare behavior. This can help confirm whether the problem lies in group-to-role propagation or PIM activation itself.
10.If all settings look correct, you may need to re-register the group in PIM: remove the existing directory roles, wait 15 minutes, then re-add them and test activation again.
If these steps help you restore expected behavior, please click “Accept answer” so others facing the same issue can find this solution easily 🙂.