With Azure Active Directory (AD) Privileged Identity Management, you can manage, control, and monitor access within your organization.  See the getting started guide here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-identity-management-getting-started

One of the important capabilities of Azure AD Privileged Identity Management is Just in Time access. Eligible users can elevate themselves into a role for a specific duration after which they are automatically removed from the role.

The users can now log into any application which requires these roles to perform the elevated tasks.

However, if an application is caching the role memberships, the users might not be able to use their permissions immediately on the specific application.

Verify that the user is elevated

To confirm that the user is elevated, you can check if the user shows up as member of the role after elevation using

Azure AD PowerShell: https://docs.microsoft.com/en-us/powershell/azuread/v2/get-azureaddirectoryrolemember


Azure AD Graph API: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/directoryroles-operations#GetDirectoryRoleMembers

If the user shows up as the member of the role, Azure AD Privileged Identity Management has successfully elevated the user into the role.

Troubleshoot Role membership caching in an application

Sign out and Sign in back to the application

Most of the times, applications cache the membership on sign in and will refresh it on subsequent sign-ins. So the easiest way to deal with this issue is to sign out and sign in back to the application. You can also try to sign in into an In Private browser window.

Understand the expected cache revocation duration in the application

Assign a user to a role without using Azure AD Privileged Identity Management. You can use

Azure AD PowerShell: https://docs.microsoft.com/en-us/powershell/azuread/v2/add-azureaddirectoryrolemember


Azure AD Graph API: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/directoryroles-operations#AddDirectoryRoleMembers

Check how long it takes for the application to recognize the user is in that role. Suppose the user is recognized in the role by the application in X minutes, then you should expect that you can use the application after X minutes when you elevate through Azure AD Privileged Identity Management. It is also worth to check with the application owner if they can reduce the cache revocation duration.

Check an alternative application which doesn’t cache role memberships for long duration

Try to check if you can use an alternate application which doesn’t cache the role membership for long durations. For example, if you want to do directory related operations after elevation, you can do that using  

Azure Portal: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview which recognizes the role membership changes on refreshing the browser.


Azure AD PowerShell: https://docs.microsoft.com/en-us/powershell/azuread/v2/azureactivedirectory which skips any role membership caching a portal might have.


Azure AD Graph API: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/api-catalog which skips any role membership caching a portal might have.