When you try to add a user to any role in Azure Active Directory, you discover that Privileged Identity Management is blocked. Specifically, when you type in the Search for Users dialog box, the text never resolves. Therefore, the search never times out.
You can reproduce this issue in the Privileged Identity Management blade by clicking Manage privileged roles, selecting any role, and then clicking the Add user button to launch the Add managed users blade. In the Add managed users blade, click step1 to Select a role, and then type some text in the Search for Users dialog box. The search never discovers an account, it never completes, and it never times out.
Additionally, when you try to determine whether People Picker is at fault, you don't experience the same issue. This For example, go to the https://portal.azure.com, click Subscriptions > Subscription > Settings button > Users, and then click the Add button. The Add Access blade prompts you to select a role. After a role is selected, the Add users blade appears. When you type text in the Search field here, the process works correctly, indicating that People Picker is not at fault and that the issue involves Privileged Identity Management.
This issue occurs if the MSPIM servicePrincipal has been disabled. This can be verified by running the following AzureAD PowerShell commands:
PS C:\>Install-Module AzureAD
PS C:\>Get-AzureADServicePrincipal | select displayname,objectid,accountenabled
- Enable the MSPIM servicePrincipal by running the following command:
PS C:\>Set-AzureADServicePrincipal -ObjectId -AccountEnabled $true
- If the MSPIM servicePrincipal is enabled, results that resemble the following are returned:
PS C:\GetSub> Get-AzureADServicePrincipal -ObjectId
| select displayname,accountenabled | fl
DisplayName : MSPIM
AccountEnabled : True
Article ID: 3193075 - Last Review: Dec 16, 2016 - Revision: 1