Azure Privileged Identity Management (PIM) is a great tool for managing identities that require privileged access. Rather than user accounts being assigned highly privileged roles permanently, accounts can be elevated to the role required. Once the role requirement is over, the permissions can be revoked.
More inofrmation on what PIM is can be found here, https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure.
While PIM is a really useful tool, it does currently have some shortcomings, and one of these is limited notifications. When setting up a role for elevation, it is possible to enable notifications, however it’s not possible to set who gets the notifications. If notifications are enabled, notifications are sent to all PIM Administrators, Global Administrators and Security Administrators only.
In scenarios I have come across though, there’s a requirement to notify people who are not admins. This would mean that (ironically) I would have to provide more permissions than required to a user for them to receive the required notification.
Until additional notification functionality is added to PIM, which will happen, there is an alternative solution. Create a new user and add the user to the PIM admin role. Then, add an alternate email address to the account for each notification address.
Example PowerShell to add additional email addresses:
Set-AzureADUser -ObjectId DavidA@aquilaweb.com -OtherMails "BobA@aquilaweb.com", "NorbertK@aquilaweb.com", "PennyT@aquilaweb.com"
Once done, all the email addresses added to the user account will receive PIM notification emails. To secure the account, set a strong password, keep it in a password safe, and do not share.
Not a brilliant solution, but a solution none the less.