How can I see which mechanism granted the user the ability to activate roles via Azure Privileged Identity Management (PIM)

Question

I often use Azure Privileged Identity Management (PIM) to activate roles and wonder which mechanisms make it possible to activate them (group, access package, etc.)

How can I check which mechanisms grant me the ability to activate the roles via PIM?

Besides Entra role-assignable groups, PIM groups, and access packages, are there other mechanisms that may grant the user the ability to activate roles?

The membership column displays "Direct" for each role, without any reference to the mechanism that granted the user the ability to activate the roles:

The membership column links to the Entra role-assignable groups that grant the user the ability to activate the roles:

Answer 1

To know which mechanism granted the user the ability to activate roles via Azure Privileged Identity Management (PIM), check the below:

• One way is to search the role in Microsoft Entra roles and administrators and click on it to see the mechanism granted.
• You can also check My audit history under Microsoft Entra Privileged Identity Management.

For sample, assigned Security Reader role and the membership shows direct:

To check how the mechanism, Go to Microsoft Entra roles and administrators -> Search the role -> Click on the role:

Otherwise, Go to Microsoft Privileged Identity Management -> Activity -> My audit history:

To check the group assignment, I assigned Message Center Reader role to the group:

In Microsoft Entra roles and administrators:

Under My audit history:

If granted by Service principal then, type will be Service Principal: