Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Privileged Identity Management (PIM) in Microsoft Entra ID allows you to configure roles to require approval for activation, and choose one or multiple users or groups as delegated approvers. Delegated approvers have 24 hours to approve requests. If a request isn't approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window isn't configurable.
View pending requests
As a delegated approver, you receive an email notification when a Microsoft Entra role request is pending your approval. You can view these pending requests in Privileged Identity Management.
- Sign in to the Microsoft Entra admin center. 
- Browse to ID Governance > Privileged Identity Management > Approve requests.   - In the Requests for role activations section, you can see a list of requests pending your approval. 
View pending requests using Microsoft Graph API
HTTP request
GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests/filterByCurrentUser(on='approver')?$filter=status eq 'PendingApproval' 
HTTP response
{ 
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(unifiedRoleAssignmentScheduleRequest)", 
    "value": [ 
        { 
            "@odata.type": "#microsoft.graph.unifiedRoleAssignmentScheduleRequest", 
            "id": "00aa00aa-bb11-cc22-dd33-44ee44ee44ee", 
            "status": "PendingApproval", 
            "createdDateTime": "2021-07-15T19:57:17.76Z", 
            "completedDateTime": "2021-07-15T19:57:17.537Z", 
            "approvalId": "00aa00aa-bb11-cc22-dd33-44ee44ee44ee", 
            "customData": null, 
            "action": "SelfActivate", 
            "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222", 
            "roleDefinitionId": "88d8e3e3-8f55-4a1e-953a-9b9898b8876b", 
            "directoryScopeId": "/", 
            "appScopeId": null, 
            "isValidationOnly": false, 
            "targetScheduleId": "00aa00aa-bb11-cc22-dd33-44ee44ee44ee", 
            "justification": "test", 
            "createdBy": { 
                "application": null, 
                "device": null, 
                "user": { 
                    "displayName": null, 
                    "id": "d96ea738-3b95-4ae7-9e19-78a083066d5b" 
                } 
            }, 
            "scheduleInfo": { 
                "startDateTime": null, 
                "recurrence": null, 
                "expiration": { 
                    "type": "afterDuration", 
                    "endDateTime": null, 
                    "duration": "PT5H30M" 
                } 
            }, 
            "ticketInfo": { 
                "ticketNumber": null, 
                "ticketSystem": null 
            } 
        } 
    ] 
} 
Approve requests
Note
Approvers aren't able to approve their own role activation requests. Additionally, service principals aren't allowed to approve requests.
- Find and select the request that you want to approve. An approve or deny page appears.
- In the Justification box, enter the business justification.
- Select Submit. At this point, the system sends an Azure notification of your approval.
Approve pending requests using Microsoft Graph API
Note
Approval for extend and renew requests is currently not supported by the Microsoft Graph API
Get IDs for the steps that require approval
For a specific activation request, this command gets all the approval steps that need approval. Multi-step approvals aren't currently supported.
HTTP request
GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentApprovals/<request-ID-GUID> 
HTTP response
{ 
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignmentApprovals/$entity", 
    "id": "<request-ID-GUID>",
    "steps@odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignmentApprovals('<request-ID-GUID>')/steps", 
    "steps": [ 
        { 
            "id": "<approval-step-ID-GUID>", 
            "displayName": null, 
            "reviewedDateTime": null, 
            "reviewResult": "NotReviewed", 
            "status": "InProgress", 
            "assignedToMe": true, 
            "justification": "", 
            "reviewedBy": null 
        } 
    ] 
} 
Approve the activation request step
HTTP request
PATCH 
https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentApprovals/<request-ID-GUID>/steps/<approval-step-ID-GUID> 
{ 
    "reviewResult": "Approve", // or "Deny"
    "justification": "Trusted User" 
} 
HTTP response
Successful PATCH calls generate an empty response.
Deny requests
- Find and select the request that you want to approve. An approve or deny page appears.
- In the Justification box, enter the business justification.
- Select Deny. A notification appears with your denial.
Workflow notifications
Here's some information about workflow notifications:
- Approvers are notified by email when a request for a role is pending their review. Email notifications include a direct link to the request, where the approver can approve or deny.
- Requests are resolved by the first approver who approves or denies.
- All approvers are notified when an approver responds to an approval request.
- Global Administrators and Privileged Role Administrators are notified when an approved user becomes active in their role.
Note
A Global Administrator or Privileged Role Admin who believes that an approved user shouldn't be active can remove the active role assignment in Privileged Identity Management. Although administrators aren't notified of pending requests unless they are an approver, they can view and cancel any pending requests for all users by viewing pending requests in Privileged Identity Management.