
1. Microsoft Entra PIM Deployment
Microsoft Entra Privileged Identity Management, or PIM, is used to Manage, Control, and Monitor Privileged Access to Microsoft Entra Roles, Azure Resources, Microsoft 365, Intune, and other Microsoft Online Services. It provides Just-In-Time Privileged Access, Approval Workflows, Time-Bound Elevation, Audit History, and Access Reviews.
Those Features Collectively Constitute the Core Operational Capabilities of Microsoft Entra Privileged Identity Management (PIM).
Microsoft Entra Privileged Identity Management (PIM) Features
|
PIM Capability |
Description |
|
Just-In-Time (JIT) Privileged Access |
Provides temporary privileged access only when needed. |
|
Time-Limited Role Activation |
Automatically expires elevated access after a configured duration. |
|
Eligible Role Assignment |
Users are assigned as eligible rather than permanently privileged. |
|
Approval-Based Elevation |
Requires designated approvers before sensitive roles can be activated. |
|
MFA During Elevation |
Requires MFA before privileged role activation. |
|
Temporary Administrative Access |
Grants privileged access only for approved maintenance or operational windows. |
|
Role Activation Justification |
Requires business justification during role activation. |
|
Ticket/Incident Number Enforcement |
Requires ITSM or change ticket numbers during activation. |
|
Privileged Access Audit Logging |
Records all privileged role activities and activations. |
|
Activation Notifications |
Sends alerts for role activation and assignment changes. |
|
Role Assignment Expiration |
Automatically removes time-bound privileged assignments. |
|
Azure Resource JIT Administration |
Extends PIM controls to Azure subscriptions and resource scopes. |
|
Privileged Access Reviews |
Allows periodic review and certification of privileged access. |
|
PIM for Groups |
Enables JIT activation of privileged group membership. |
2. Benefits
Reduces Permanent Privileged Access.
Enforces Least Privilege.
Provides Just-In-Time Administrator Elevation.
Requires MFA During Role Activation.
Supports Approval-Based Activation.
Limits Role Activation Duration.
Provides Audit Logs for Privileged Activity.
Helps Identify Excessive or Unused Admin Access.
Supports Access Reviews for Privileged Roles.
Improve Compliance and Security Governance.
Reduces Risk from Compromised Administrator Accounts.
Supports Microsoft Entra Roles, Azure Resource Roles, and PIM for Groups.
Entra ID P2 Licenses
|
Capability |
Included in Entra ID P2 |
Requires Add – On Identity Governance License |
Explanation |
|
Privileged Identity Management (PIM) |
Yes |
No |
Core P2 feature for just-in-time admin access and privileged role control. |
|
Identity Protection |
Yes |
No |
Includes risky users, risky sign-ins, leaked credentials, impossible travel, and adaptive identity security. |
|
Risk-Based Conditional Access |
Yes |
No |
Uses Identity Protection risk signals to dynamically enforce access policies. |
|
Access Reviews |
Yes |
No |
Included with P2 for reviewing privileged roles, groups, and application access. |
|
Entitlement Management |
Yes |
No |
Included with P2 and provides access packages, approval workflows, expiration, and guest onboarding. |
|
Access Packages |
Yes |
No |
Part of Entitlement Management. |
|
Approval-Based Access Requests |
Yes |
No |
Users can request access through governed workflows. |
|
Guest Access Governance |
Yes |
No |
Governs external/B2B user access lifecycle. |
|
Automatic Access Expiration |
Yes |
No |
Access can automatically expire after a defined period. |
|
Self-Service Access Requests |
Yes |
No |
Users can request access without administrator intervention. |
|
Temporary Project-Based Access |
Yes |
No |
Access Packages support temporary access assignments. |
|
Lifecycle Workflows |
No |
Yes |
Requires Microsoft Entra ID Governance licensing. |
|
Joiner/Mover/Leaver Automation |
No |
Yes |
Requires Lifecycle Workflows under Identity Governance. |
|
Automated Employee Onboarding |
No |
Yes |
Automates provisioning and access assignment during onboarding. |
|
Automated Employee Offboarding |
No |
Yes |
Automates access removal, cleanup, and deprovisioning. |
|
HR-Driven Identity Lifecycle Automation |
No |
Yes |
Integrates HR systems with identity lifecycle workflows. |
|
Advanced Governance Automation |
Partial |
Yes |
Advanced orchestration and lifecycle automation require Identity Governance. |
|
Long-Term Compliance Lifecycle Processes |
Partial |
Yes |
Advanced compliance-driven governance workflows require Governance licensing. |
3. Prerequisites
Microsoft Entra ID P2 or Microsoft Entra ID Governance License.
Microsoft Entra Tenant.
Privileged Role Administrator or Global Administrator for Initial Configuration.
Azure Subscription Access if managing Azure Resource Roles.
MFA enabled for Privileged Users.
Break-Glass Emergency Accounts created and excluded from Normal Conditional Access Lockout Scenarios.
Security Group Strategy for Administrative Teams.
Documented Privileged Role Ownership.
Defined approvers for Sensitive Roles.
Audit and Monitoring Process.
Conditional Access Policies Aligned with Administrator Access.
Access Review Process for Privileged Roles.
4. Deployment Steps
Step 1: Plan Privileged Identity Management (PIM) Deployment
Identify all privileged roles currently assigned in Microsoft Entra ID and Azure.
In Cloud Shell Run: connect-mggraph first and than run the mggraph code below
# Install Microsoft Graph Module
Install-Module Microsoft.Graph -Scope CurrentUser
# Connect to Microsoft Graph
Connect-MgGraph -Scopes `
"RoleManagement.Read.Directory",
"Directory.Read.All"
# Get all active privileged role assignments
$Assignments = Get-MgRoleManagementDirectoryRoleAssignment -All
# Build report
$Results = foreach ($Assignment in $Assignments)
{
# Get Role Information
$Role = Get-MgRoleManagementDirectoryRoleDefinition `
-UnifiedRoleDefinitionId $Assignment.RoleDefinitionId
# Get User Information
$User = Get-MgUser -UserId $Assignment.PrincipalId
# Determine Scope
if ($Assignment.DirectoryScopeId -eq "/")
{
$Scope = "Tenant Root"
}
else
{
$Scope = $Assignment.DirectoryScopeId
}
# Create Output Object
[PSCustomObject]@{
"User Name" = $User.DisplayName
"Role" = $Role.DisplayName
"Scope" = $Scope
}
}
# Display Results in Table Format
$Results |
Sort-Object Role,"User Name" |
Format-Table -AutoSize
Example Output:
User Name Role Scope
--------- ---- -----
John Smith Global Administrator Tenant Root
Maria Johnson Privileged Role Administrator Tenant Root
David Brown Exchange Administrator Tenant Root
Sarah Wilson User Administrator Tenant Root
Alex Miller Security Administrator Tenant Root
Remove unnecessary permanent assignments before enabling PIM. Microsoft recommends using Least Privilege and reducing the number of Global Administrators.
Document The Following:
Current Privileged Users.
Current Permanent Role Assignments.
Required Administrative Roles.
Users who should be Eligible.
Users who should Remain Permanently Active.
Approval Requirements.
Maximum Activation Duration.
MFA Requirements.
Justification Requirements.
Ticket Number Requirements.
Notification Recipients.
Step 2: Access PIM
Go to:
Microsoft Entra Admin Center
Identity Governance (P2 Includes most features except Advanced Governance Capability: Lifecycle Workflows, Joiner/Mover/Leaver Automation, HR-Driven Lifecycle Automation)
Privileged Identity Management

Select the Resource Type to Manage:
Microsoft Entra Roles
Groups
Azure Resources
Step 3: Discover Existing Privileged Assignments
Review existing privileged role assignments.
Focus On High-Risk Roles First:
Global Administrator
Privileged Role Administrator
Security Administrator
Conditional Access Administrator
Exchange Administrator
SharePoint Administrator
Intune Administrator
User Administrator
Application Administrator
Cloud Application Administrator
Owner
Contributor
User Access Administrator
Remove Unnecessary Accounts Before Converting Users to Eligible Assignments.
Step 4: Configure Role Settings
For each privileged role, configure role activation settings. Role settings define MFA, approval, maximum duration, assignment duration, and notification behavior.
Recommended Baseline:
Require MFA on Activation.
Require Justification.
Require Ticket Information for High-Risk Roles.
Require Approval for Global Administrator, Privileged Role Administrator, Conditional Access Administrator, Security Administrator, Owner, and User Access Administrator.
Set Activation Duration to 1 to 4 hours for High-Risk Roles.
Send Activation Notifications to security or IAM Administrators.
Avoid Permanent Active Assignments Except for Approved Break-Glass
Step 5: Assign Eligible Roles
Go to:
Azure Portal -> Privileged Identity Management -> Microsoft Entra roles -> Assign Eligibility -> Add Assignments

Select:
Role
User or Group
Assignment Type: Eligible
Scope
Start and End Date
Use Eligible Assignments for normal Administrators. Use Active Assignments only when Absolutely Required.
Step 6: Configure Approvers
For Sensitive Roles, Configure Approval.
Recommended Approvers:
IAM Lead
Security Operations Lead
Cloud Platform Owner
Backup Approver
Do Not allow Users to Approve their Own Elevation.
Step 7: Configure Azure Resource PIM
Go to:
Privileged Identity Management -> Azure Resources -> Discover Resources
Select the Subscription, Management Group, Resource Group, or Resource (Scope Levels).
Configure Eligible Assignments For:
Owner
Contributor
User Access Administrator
Security Admin
Backup Contributor
Key Vault Administrator
Use Scope-Based Assignments. Assign access at the Lowest Required Scope.
Step 8: Configure PIM for Groups
Use PIM for Groups when access is Granted through Groups or when Multiple Role Assignments need to be Activated Together. Microsoft notes that PIM for Groups can reduce the burden of activating many individual role assignments.
Recommended Use Cases:
Tier 0 Administrator Groups
Azure Subscription Admin Groups
Intune Admin Groups
Security Operations Groups
Application Owner Groups
Step 9: Configure Notifications
Enable Notifications For:
Role Activation
Approval Requests
Assignment Changes
Permanent Role Assignments
Expiring Assignments
Send Notifications To:
Security Operations Team
IAM Team
Cloud Platform Team
Compliance Team
Step 10: Configure Access Reviews
Create Access Reviews for Privileged Roles.
Recommended Schedule:
Global Administrator: Monthly
Privileged Role Administrator: Monthly
Security Administrator: Monthly
Subscription Owner: Monthly or Quarterly
Contributor Roles: Quarterly
Application Administrator Roles: Quarterly
Remove Users Who No Longer Require Privileged Access.
5. Best Practices
Use Least Privilege.
Minimize Global Administrator Assignments.
Use Eligible Assignments Instead of Permanent Active Assignments.
Require MFA for All Privileged Role Activation.
Require Approval for High-Risk Roles.
Require Justification for Every Activation.
Use Short Activation Windows.
Use Ticket Numbers for Production Changes.
Use PIM for Groups where Group-Based Privilege is required.
Keep at Least Two Break-Glass Accounts.
Do not assign Break-Glass Accounts through PIM.
Monitor all Privileged Activation Events.
Review Privileged Roles Regularly.
Use Conditional Access for Administrator Protection.
Separate Daily-Use Accounts from Administrator Accounts.
Do not use Shared Administrator Accounts.
Use Privileged Role Administrator instead of Global Administrator for PIM Administration.
Assign Roles at the Lowest Possible Scope.
Export and review PIM Audit Logs.
Integrate Logs with Microsoft Sentinel where available.
Test Role Activation before enforcing Strict Policies.
6. Testing Plan
Test 1: Eligible Role Activation
Validate that an eligible user can activate a role.
Validate That an Eligible User Can Activate a Role
Objective
Validate that a user assigned as Eligible in Microsoft Entra PIM can Successfully Activate a Privileged Role.
Prerequisites
|
Requirement |
Description |
|
Entra ID P2 |
Required for PIM |
|
PIM Enabled |
PIM configured in tenant |
|
Eligible Assignment |
User assigned as Eligible |
|
MFA Enabled |
Required if configured in PIM |
|
Approval Workflow |
Optional based on policy |
|
Test User |
Non-production test account recommended |
Example Test Scenario
|
Setting |
Value |
|
User |
John Smith |
|
Role |
Security Administrator |
|
Assignment Type |
Eligible |
|
Activation Duration |
1 Hour |
|
MFA Required |
Yes |
|
Approval Required |
Yes |
|
Justification Required |
Yes |
Step 1: Sign In as an Eligible User
Sign in to: -> Microsoft Entra Admin Center
Using: -> Eligible Administrator Account
Step 2: Open PIM
Navigate to: Identity Governance -> Privileged Identity Management
Step 3: Open My Roles
Select: -> My Roles
You Will See:
Eligible Assignments
Active Assignments
Expected Result:
Role appears under Eligible assignments
Example:
|
Role |
State |
|
Security Administrator |
Eligible |
Step 4: Select the Eligible Role
Click: -> Activate Next to the Role.
Example:
Security Administrator Activate
Step 5: Complete Activation Request
Depending on policy configuration, the user may need to provide:
|
Requirement |
Example |
|
MFA |
Microsoft Authenticator |
|
Justification |
“Perform Security Audit Changes” |
|
Ticket Number |
CHG000123 |
|
Duration |
1 Hour |
|
Approval |
Manager or Security Team |
Example Activation Form:
|
Field |
Example |
|
Reason |
Emergency Firewall Policy Update |
|
Ticket Number |
INC-445566 |
|
Duration |
1 Hour |
Step 6: Perform MFA
User Completes:
Microsoft Authenticator
FIDO2
SMS
Certificate
TAP
Expected Result: -> MFA Challenge Succeeds
Step 7: Submit Activation Request
Click: Activate
Expected Result:
Request Submitted
Approval Workflow Triggered if Configured
Step 8: Approval Process (If Enabled)
Approver Receives:
Email Notification
PIM Notification
Approver Actions: Approve or Deny
Expected Result: -> Activation Approved
Step 9: Role Becomes Active
Return to: My Roles
Expected Result: Role Now Appears Under Active Assignments
Example:
|
Role |
State |
Expiration |
|
Security Administrator |
Active |
1 Hour |
Step 10: Validate Access
User Validates Privileged Access.
Examples:
|
Role |
Validation |
|
Global Administrator |
Access Admin Portal |
|
Security Administrator |
Modify Security Settings |
|
Exchange Administrator |
Access Exchange Admin Center |
|
Owner |
Manage Azure Subscription |
|
User Access Administrator |
Assign RBAC Roles |
Step 11: Validate Automatic Expiration
Wait Until: -> Activation Duration Expires
Expected Result:
Role Automatically Removed
User Loses Privileged Access
Expected Test Results
|
Validation Item |
Expected Result |
|
Eligible Assignment Visible |
Success |
|
Activation Allowed |
Success |
|
MFA Enforced |
Success |
|
Approval Workflow Triggered |
Success |
|
Justification Captured |
Success |
|
Ticket Captured |
Success |
|
Role Active Temporarily |
Success |
|
Automatic Expiration |
Success |
|
Audit Logs Generated |
Success |
Optional Validation Checks
|
Additional Validation |
Purpose |
|
Audit logs |
Verify Logging |
|
Azure Sign-In Logs |
Verify MFA |
|
PIM Alerts |
Validate Monitoring |
|
Access Reviews |
Validate Governance |
|
Notification Emails |
Validate Workflow |
Common Failure Scenarios
|
Issue |
Cause |
|
Cannot Activate Role |
User Not Eligible |
|
MFA Failure |
MFA Not Configured |
|
Approval Stuck |
No Approver Configured |
|
Activation Denied |
Conditional Access |
|
Role Missing |
Assignment Expired |
|
No Access after Activation |
Token Refresh Required |
Enterprise Best Practice
Use: Eligible Assignments for Privileged Roles
Avoid: Permanent Active Assignments
Recommended for:
Global Administrator
Owner
Contributor
User Access Administrator
Security Administrator
Conditional Access Administrator
Exchange Administrator
Intune Administrator
This is the standard enterprise JIT privileged access validation workflow for Microsoft Entra PIM.
Expected Result:
User Sees Eligible Role.
User is Prompted for MFA.
Users must Enter Justification.
Role Activates Successfully.
Role Expires Automatically.
Test 2: Approval Workflow
Validate that approval is required for sensitive roles.
Expected Result:
User Requests Activation.
Approver Receives Notification.
Role Does Not Activate Until Approved.
Audit Log Records Request and Approval.
Test 3: Activation Expiration
Activate a role with a short duration.
Expected Result:
Role Becomes Active.
Role Expires at the Configured Time.
User Loses Privileged Access Automatically.
Test 4: MFA Enforcement
Attempt Activation without satisfying MFA.
Expected result: Activation is blocked until MFA is completed.
Test 5: Justification Requirement
Attempt activation without justification.
Expected result: Activation is blocked.
Test 6: Azure Resource Role Activation
Assign a user as an eligible Owner or Contributor on a Test Resource Group.
Expected Result:
User Activates Role.
User Gains Access Only at the Configured Scope.
Access Expires Automatically.
Test 7: PIM for Groups
Assign a User as an Eligible Member of a Privileged Group.
Expected Result:
User Activates Group Membership.
Group-Based Permissions Become Available.
Membership Expires Automatically.
Test 8: Audit Log Review
Review of PIM Audit History.
Expected Result:
Activation Events are Visible.
Approval Events are Visible.
Assignment Changes are Visible.
Expiration Events are Visible.
7. Deployment Validation Checklist
PIM licensing confirmed.
MFA enabled for privileged users.
Break-glass accounts created.
Existing privileged roles reviewed.
Unnecessary permanent roles removed.
Role settings configured.
Eligible assignments are created.
Approval workflow configured.
Notifications enabled.
Azure resource roles onboarded.
PIM for Groups configured where required.
Access reviews scheduled.
Audit logging validated.
Test activations completed.
Security team notified.
Operational process documented.
8. Recommended Production Baseline
For High-Risk Roles:
Assignment Type: Eligible
Activation Duration: 1 to 2 hours
MFA Required: Yes
Justification Required: Yes
Approval Required: Yes
Ticket Number Required: Yes
Permanent Active Assignment: No
Access Review: Monthly
For Medium-Risk Roles:
Assignment Type: Eligible
Activation Duration: 2 to 4 hours
MFA Required: Yes
Justification Required: Yes
Approval Required: Optional
Access Review: Quarterly
For Low-Risk Administrative Roles:
Assignment Type: Eligible
Activation Duration: 4 To 8 Hours
MFA Required: Yes
Justification Required: Yes
Access Review: Quarterly
0 comments