{
	"id": "3fa7f0b4-cf34-49e9-b6e1-ff7518deaa17",
	"created_at": "2026-04-06T01:28:53.798073Z",
	"updated_at": "2026-04-10T03:20:16.750167Z",
	"deleted_at": null,
	"sha1_hash": "e87f40e408ed78f039510644f170ca30d3cefc58",
	"title": "Approve or deny requests for Microsoft Entra roles in PIM - Microsoft Entra ID Governance",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 340503,
	"plain_text": "Approve or deny requests for Microsoft Entra roles in PIM -\r\nMicrosoft Entra ID Governance\r\nBy kenwith\r\nArchived: 2026-04-06 00:16:45 UTC\r\nApprove or deny requests for Microsoft Entra roles in Privileged Identity\r\nManagement\r\nPrivileged Identity Management (PIM) in Microsoft Entra ID allows you to configure roles to require approval for\r\nactivation, and choose one or multiple users or groups as delegated approvers. Delegated approvers have 24 hours\r\nto approve requests. If a request isn't approved within 24 hours, then the eligible user must re-submit a new\r\nrequest. The 24-hour approval time window isn't configurable.\r\nAs a delegated approver, you receive an email notification when a Microsoft Entra role request is pending your\r\napproval. You can view these pending requests in Privileged Identity Management.\r\n1. Sign in to the Microsoft Entra admin center.\r\n2. Browse to ID Governance \u003e Privileged Identity Management \u003e Approve requests.\r\nIn the Requests for role activations section, you can see a list of requests pending your approval.\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow\r\nPage 1 of 4\n\nGET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests/filterByCurrentUse\r\n{\r\n \"@odata.context\": \"https://graph.microsoft.com/v1.0/$metadata#Collection(unifiedRoleAssignmentScheduleReques\r\n \"value\": [\r\n {\r\n \"@odata.type\": \"#microsoft.graph.unifiedRoleAssignmentScheduleRequest\",\r\n \"id\": \"00aa00aa-bb11-cc22-dd33-44ee44ee44ee\",\r\n \"status\": \"PendingApproval\",\r\n \"createdDateTime\": \"2021-07-15T19:57:17.76Z\",\r\n \"completedDateTime\": \"2021-07-15T19:57:17.537Z\",\r\n \"approvalId\": \"00aa00aa-bb11-cc22-dd33-44ee44ee44ee\",\r\n \"customData\": null,\r\n \"action\": \"SelfActivate\",\r\n \"principalId\": \"aaaaaaaa-bbbb-cccc-1111-222222222222\",\r\n \"roleDefinitionId\": \"88d8e3e3-8f55-4a1e-953a-9b9898b8876b\",\r\n \"directoryScopeId\": \"/\",\r\n \"appScopeId\": null,\r\n \"isValidationOnly\": false,\r\n \"targetScheduleId\": \"00aa00aa-bb11-cc22-dd33-44ee44ee44ee\",\r\n \"justification\": \"test\",\r\n \"createdBy\": {\r\n \"application\": null,\r\n \"device\": null,\r\n \"user\": {\r\n \"displayName\": null,\r\n \"id\": \"d96ea738-3b95-4ae7-9e19-78a083066d5b\"\r\n }\r\n },\r\n \"scheduleInfo\": {\r\n \"startDateTime\": null,\r\n \"recurrence\": null,\r\n \"expiration\": {\r\n \"type\": \"afterDuration\",\r\n \"endDateTime\": null,\r\n \"duration\": \"PT5H30M\"\r\n }\r\n },\r\n \"ticketInfo\": {\r\n \"ticketNumber\": null,\r\n \"ticketSystem\": null\r\n }\r\n }\r\n ]\r\n}\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow\r\nPage 2 of 4\n\nNote\r\nApprovers aren't able to approve their own role activation requests. Additionally, service principals aren't allowed\r\nto approve requests.\r\n1. Find and select the request that you want to approve. An approve or deny page appears.\r\n2. In the Justification box, enter the business justification.\r\n3. Select Submit. At this point, the system sends an Azure notification of your approval.\r\nNote\r\nApproval for extend and renew requests is currently not supported by the Microsoft Graph API.\r\nFor a specific activation request, this command gets all the approval steps that need approval. Multi-step\r\napprovals aren't currently supported.\r\nGET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentApprovals/\u003crequest-ID-GUID\u003e\r\n{\r\n \"@odata.context\": \"https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignmentApprova\r\n \"id\": \"\u003crequest-ID-GUID\u003e\",\r\n \"steps@odata.context\": \"https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignmentAp\r\n \"steps\": [\r\n {\r\n \"id\": \"\u003capproval-step-ID-GUID\u003e\",\r\n \"displayName\": null,\r\n \"reviewedDateTime\": null,\r\n \"reviewResult\": \"NotReviewed\",\r\n \"status\": \"InProgress\",\r\n \"assignedToMe\": true,\r\n \"justification\": \"\",\r\n \"reviewedBy\": null\r\n }\r\n ]\r\n}\r\nPATCH\r\nhttps://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentApprovals/\u003crequest-ID-GUID\u003e/steps/\u003cappro\r\n{\r\n \"reviewResult\": \"Approve\", // or \"Deny\"\r\n \"justification\": \"Trusted User\"\r\n}\r\nSuccessful PATCH calls generate an empty response.\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow\r\nPage 3 of 4\n\n1. Find and select the request that you want to deny. An approve or deny page appears.\r\n2. In the Justification box, enter the business justification.\r\n3. Select Deny. A notification appears with your denial.\r\nHere's some information about workflow notifications:\r\nApprovers are notified by email when a request for a role is pending their review. Email notifications\r\ninclude a direct link to the request, where the approver can approve or deny.\r\nRequests are resolved by the first approver who approves or denies.\r\nAll approvers are notified when an approver responds to an approval request.\r\nGlobal Administrators and Privileged Role Administrators are notified when an approved user becomes\r\nactive in their role.\r\nNote\r\nA Global Administrator or Privileged Role Admin who believes that an approved user shouldn't be active can\r\nremove the active role assignment in Privileged Identity Management. Although administrators aren't notified of\r\npending requests unless they're an approver, they can view and cancel any pending requests for all users by\r\nviewing pending requests in Privileged Identity Management.\r\nEmail notifications in Privileged Identity Management\r\nApprove or deny requests for Azure resource roles in Privileged Identity Management\r\nSource: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow\r\nhttps://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/azure-ad-pim-approval-workflow"
	],
	"report_names": [
		"azure-ad-pim-approval-workflow"
	],
	"threat_actors": [],
	"ts_created_at": 1775438933,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e87f40e408ed78f039510644f170ca30d3cefc58.pdf",
		"text": "https://archive.orkl.eu/e87f40e408ed78f039510644f170ca30d3cefc58.txt",
		"img": "https://archive.orkl.eu/e87f40e408ed78f039510644f170ca30d3cefc58.jpg"
	}
}