Microsoft Entra Privileged Identity Management

If you want to learn more about PIM see my book Nothing but Microsoft Entra ID: All the Way to Mastery

1. Microsoft Entra PIM Deployment 

Microsoft Entra Privileged Identity Management, or PIM, is used to Manage, Control, and Monitor Privileged Access to Microsoft Entra Roles, Azure Resources, Microsoft 365, Intune, and other Microsoft Online Services. It provides Just-In-Time Privileged Access, Approval Workflows, Time-Bound Elevation, Audit History, and Access Reviews.

Those Features Collectively Constitute the Core Operational Capabilities of Microsoft Entra Privileged Identity Management (PIM).

Microsoft Entra Privileged Identity Management (PIM) Features

PIM Capability

Description

Just-In-Time (JIT) Privileged Access

Provides temporary privileged access only when needed.

Time-Limited Role Activation

Automatically expires elevated access after a configured duration.

Eligible Role Assignment

Users are assigned as eligible rather than permanently privileged.

Approval-Based Elevation

Requires designated approvers before sensitive roles can be activated.

MFA During Elevation

Requires MFA before privileged role activation.

Temporary Administrative Access

Grants privileged access only for approved maintenance or operational windows.

Role Activation Justification

Requires business justification during role activation.

Ticket/Incident Number Enforcement

Requires ITSM or change ticket numbers during activation.

Privileged Access Audit Logging

Records all privileged role activities and activations.

Activation Notifications

Sends alerts for role activation and assignment changes.

Role Assignment Expiration

Automatically removes time-bound privileged assignments.

Azure Resource JIT Administration

Extends PIM controls to Azure subscriptions and resource scopes.

Privileged Access Reviews

Allows periodic review and certification of privileged access.

PIM for Groups

Enables JIT activation of privileged group membership.

 

2. Benefits

Reduces Permanent Privileged Access.
Enforces Least Privilege.
Provides Just-In-Time Administrator Elevation.
Requires MFA During Role Activation.
Supports Approval-Based Activation.
Limits Role Activation Duration.
Provides Audit Logs for Privileged Activity.
Helps Identify Excessive or Unused Admin Access.
Supports Access Reviews for Privileged Roles.
Improve Compliance and Security Governance.
Reduces Risk from Compromised Administrator Accounts.
Supports Microsoft Entra Roles, Azure Resource Roles, and PIM for Groups.

Entra ID P2 Licenses

Capability

Included in Entra ID P2

Requires Add – On Identity Governance License

Explanation

Privileged Identity Management (PIM)

Yes

No

Core P2 feature for just-in-time admin access and privileged role control.

Identity Protection

Yes

No

Includes risky users, risky sign-ins, leaked credentials, impossible travel, and adaptive identity security.

Risk-Based Conditional Access

Yes

No

Uses Identity Protection risk signals to dynamically enforce access policies.

Access Reviews

Yes

No

Included with P2 for reviewing privileged roles, groups, and application access.

Entitlement Management

Yes

No

Included with P2 and provides access packages, approval workflows, expiration, and guest onboarding.

Access Packages

Yes

No

Part of Entitlement Management.

Approval-Based Access Requests

Yes

No

Users can request access through governed workflows.

Guest Access Governance

Yes

No

Governs external/B2B user access lifecycle.

Automatic Access Expiration

Yes

No

Access can automatically expire after a defined period.

Self-Service Access Requests

Yes

No

Users can request access without administrator intervention.

Temporary Project-Based Access

Yes

No

Access Packages support temporary access assignments.

Lifecycle Workflows

No

Yes

Requires Microsoft Entra ID Governance licensing.

Joiner/Mover/Leaver Automation

No

Yes

Requires Lifecycle Workflows under Identity Governance.

Automated Employee Onboarding

No

Yes

Automates provisioning and access assignment during onboarding.

Automated Employee Offboarding

No

Yes

Automates access removal, cleanup, and deprovisioning.

HR-Driven Identity Lifecycle Automation

No

Yes

Integrates HR systems with identity lifecycle workflows.

Advanced Governance Automation

Partial

Yes

Advanced orchestration and lifecycle automation require Identity Governance.

Long-Term Compliance Lifecycle Processes

Partial

Yes

Advanced compliance-driven governance workflows require Governance licensing.

 

3. Prerequisites

Microsoft Entra ID P2 or Microsoft Entra ID Governance License.
Microsoft Entra Tenant.
Privileged Role Administrator or Global Administrator for Initial Configuration.
Azure Subscription Access if managing Azure Resource Roles.
MFA enabled for Privileged Users.
Break-Glass Emergency Accounts created and excluded from Normal Conditional Access Lockout Scenarios.
Security Group Strategy for Administrative Teams.
Documented Privileged Role Ownership.
Defined approvers for Sensitive Roles.
Audit and Monitoring Process.
Conditional Access Policies Aligned with Administrator Access.
Access Review Process for Privileged Roles.

4. Deployment Steps

Step 1: Plan Privileged Identity Management (PIM) Deployment

Identify all privileged roles currently assigned in Microsoft Entra ID and Azure.

In Cloud Shell Run: connect-mggraph  first and than run the mggraph code below

# Install Microsoft Graph Module
Install-Module Microsoft.Graph -Scope CurrentUser

# Connect to Microsoft Graph
Connect-MgGraph -Scopes `
"RoleManagement.Read.Directory",
"Directory.Read.All"

# Get all active privileged role assignments
$Assignments = Get-MgRoleManagementDirectoryRoleAssignment -All

# Build report
$Results = foreach ($Assignment in $Assignments)
{
    # Get Role Information
    $Role = Get-MgRoleManagementDirectoryRoleDefinition `
        -UnifiedRoleDefinitionId $Assignment.RoleDefinitionId

    # Get User Information
   
$User = Get-MgUser -UserId $Assignment.PrincipalId

    # Determine Scope
    if ($Assignment.DirectoryScopeId -eq "/")
    {
        $Scope = "Tenant Root"
    }
    else
    {
        $Scope = $Assignment.DirectoryScopeId
    }

    # Create Output Object
    [PSCustomObject]@{
        "User Name" = $User.DisplayName
        "Role"      = $Role.DisplayName
        "Scope"     = $Scope
    }
}

# Display Results in Table Format
$Results |
Sort-Object Role,"User Name" |
Format-Table -AutoSize

Example Output:

User Name              Role                            Scope
---------              ----                            -----
John Smith             Global Administrator            Tenant Root
Maria Johnson          Privileged Role Administrator   Tenant Root
David Brown            Exchange Administrator          Tenant Root
Sarah Wilson           User Administrator              Tenant Root
Alex Miller            Security Administrator          Tenant Root

Remove unnecessary permanent assignments before enabling PIM. Microsoft recommends using Least Privilege and reducing the number of Global Administrators.

Document The Following:

Current Privileged Users.
Current Permanent Role Assignments.
Required Administrative Roles.
Users who should be Eligible.
Users who should Remain Permanently Active.
Approval Requirements.
Maximum Activation Duration.
MFA Requirements.
Justification Requirements.
Ticket Number Requirements.
Notification Recipients.

Step 2: Access PIM

Go to:

Microsoft Entra Admin Center
Identity Governance (P2 Includes most features except Advanced Governance Capability: Lifecycle Workflows, Joiner/Mover/Leaver Automation, HR-Driven Lifecycle Automation)
Privileged Identity Management

Select the Resource Type to Manage:

Microsoft Entra Roles
Groups
Azure Resources

Step 3: Discover Existing Privileged Assignments

Review existing privileged role assignments.

Focus On High-Risk Roles First:

Global Administrator
Privileged Role Administrator
Security Administrator
Conditional Access Administrator
Exchange Administrator
SharePoint Administrator
Intune Administrator
User Administrator
Application Administrator
Cloud Application Administrator
Owner
Contributor
User Access Administrator

Remove Unnecessary Accounts Before Converting Users to Eligible Assignments.

Step 4: Configure Role Settings

For each privileged role, configure role activation settings. Role settings define MFA, approval, maximum duration, assignment duration, and notification behavior.

Recommended Baseline:

Require MFA on Activation.
Require Justification.
Require Ticket Information for High-Risk Roles.
Require Approval for Global Administrator, Privileged Role Administrator, Conditional Access Administrator, Security Administrator, Owner, and User Access Administrator.
Set Activation Duration to 1 to 4 hours for High-Risk Roles.
Send Activation Notifications to security or IAM Administrators.
Avoid Permanent Active Assignments Except for Approved Break-Glass

Step 5: Assign Eligible Roles

Go to:

Azure Portal -> Privileged Identity Management -> Microsoft Entra roles -> Assign Eligibility -> Add Assignments

Select:

Role
User or Group
Assignment Type: Eligible
Scope
Start and End Date
Use Eligible Assignments for normal Administrators. Use Active Assignments only when Absolutely Required.

Step 6: Configure Approvers

For Sensitive Roles, Configure Approval. 

Recommended Approvers:

IAM Lead
Security Operations Lead
Cloud Platform Owner
Backup Approver
Do Not allow Users to Approve their Own Elevation. 

Step 7: Configure Azure Resource PIM

Go to:

Privileged Identity Management -> Azure Resources -> Discover Resources

Select the Subscription, Management Group, Resource Group, or Resource (Scope Levels).

Configure Eligible Assignments For:

Owner
Contributor
User Access Administrator
Security Admin
Backup Contributor
Key Vault Administrator

Use Scope-Based Assignments. Assign access at the Lowest Required Scope.

Step 8: Configure PIM for Groups

Use PIM for Groups when access is Granted through Groups or when Multiple Role Assignments need to be Activated Together. Microsoft notes that PIM for Groups can reduce the burden of activating many individual role assignments.

Recommended Use Cases:

Tier 0 Administrator Groups
Azure Subscription Admin Groups
Intune Admin Groups
Security Operations Groups
Application Owner Groups

Step 9: Configure Notifications

Enable Notifications For:

Role Activation
Approval Requests
Assignment Changes
Permanent Role Assignments
Expiring Assignments

Send Notifications To:

Security Operations Team
IAM Team
Cloud Platform Team
Compliance Team

Step 10: Configure Access Reviews

Create Access Reviews for Privileged Roles.

Recommended Schedule:

Global Administrator: Monthly
Privileged Role Administrator: Monthly
Security Administrator: Monthly
Subscription Owner: Monthly or Quarterly
Contributor Roles: Quarterly
Application Administrator Roles: Quarterly

Remove Users Who No Longer Require Privileged Access.

5. Best Practices

Use Least Privilege.
Minimize Global Administrator Assignments.
Use Eligible Assignments Instead of Permanent Active Assignments.
Require MFA for All Privileged Role Activation.
Require Approval for High-Risk Roles.
Require Justification for Every Activation.
Use Short Activation Windows.
Use Ticket Numbers for Production Changes.
Use PIM for Groups where Group-Based Privilege is required.
Keep at Least Two Break-Glass Accounts.
Do not assign Break-Glass Accounts through PIM.
Monitor all Privileged Activation Events.
Review Privileged Roles Regularly.
Use Conditional Access for Administrator Protection.
Separate Daily-Use Accounts from Administrator Accounts.
Do not use Shared Administrator Accounts.
Use Privileged Role Administrator instead of Global Administrator for PIM Administration.
Assign Roles at the Lowest Possible Scope.
Export and review PIM Audit Logs.
Integrate Logs with Microsoft Sentinel where available.
Test Role Activation before enforcing Strict Policies.

6. Testing Plan

Test 1: Eligible Role Activation
Validate that an eligible user can activate a role.
Validate That an Eligible User Can Activate a Role
Objective
Validate that a user assigned as Eligible in Microsoft Entra PIM can Successfully Activate a Privileged Role.

Prerequisites

Requirement

Description

Entra ID P2

Required for PIM

PIM Enabled

PIM configured in tenant

Eligible Assignment

User assigned as Eligible

MFA Enabled

Required if configured in PIM

Approval Workflow

Optional based on policy

Test User

Non-production test account recommended

 

Example Test Scenario

Setting

Value

User

John Smith

Role

Security Administrator

Assignment Type

Eligible

Activation Duration

1 Hour

MFA Required

Yes

Approval Required

Yes

Justification Required

Yes

 

Step 1: Sign In as an Eligible User
Sign in to: -> Microsoft Entra Admin Center
Using: -> Eligible Administrator Account

Step 2: Open PIM
Navigate to: Identity Governance -> Privileged Identity Management

Step 3: Open My Roles
Select: -> My Roles

 You Will See:

Eligible Assignments
Active Assignments

Expected Result:

Role appears under Eligible assignments 

Example:

Role

State

Security Administrator

Eligible

 

Step 4: Select the Eligible Role

Click: -> Activate Next to the Role.
Example:
Security Administrator Activate

Step 5: Complete Activation Request

Depending on policy configuration, the user may need to provide:

Requirement

Example

MFA

Microsoft Authenticator

Justification

“Perform Security Audit Changes”

Ticket Number

CHG000123

Duration

1 Hour

Approval

Manager or Security Team

 

Example Activation Form:

Field

Example

Reason

Emergency Firewall Policy Update

Ticket Number

INC-445566

Duration

1 Hour

Step 6: Perform MFA

User Completes:

Microsoft Authenticator
FIDO2
SMS
Certificate
TAP

Expected Result: -> MFA Challenge Succeeds 

Step 7: Submit Activation Request

Click: Activate

Expected Result:

Request Submitted
Approval Workflow Triggered if Configured

Step 8: Approval Process (If Enabled)

Approver Receives:

Email Notification
PIM Notification
Approver Actions: Approve or Deny
Expected Result: -> Activation Approved
 

Step 9: Role Becomes Active

Return to: My Roles
Expected Result: Role Now Appears Under Active Assignments
Example:

Role

State

Expiration

Security Administrator

Active

1 Hour

 

Step 10: Validate Access
User Validates Privileged Access.
Examples:

Role

Validation

Global Administrator

Access Admin Portal

Security Administrator

Modify Security Settings

Exchange Administrator

Access Exchange Admin Center

Owner

Manage Azure Subscription

User Access Administrator

Assign RBAC Roles

 

Step 11: Validate Automatic Expiration
Wait Until: -> Activation Duration Expires
Expected Result:
Role Automatically Removed
User Loses Privileged Access
Expected Test Results

Validation Item

Expected Result

Eligible Assignment Visible

Success

Activation Allowed

Success

MFA Enforced

Success

Approval Workflow Triggered

Success

Justification Captured

Success

Ticket Captured

Success

Role Active Temporarily

Success

Automatic Expiration

Success

Audit Logs Generated

Success

Optional Validation Checks

Additional Validation

Purpose

Audit logs

Verify Logging

Azure Sign-In Logs

Verify MFA

PIM Alerts

Validate Monitoring

Access Reviews

Validate Governance

Notification Emails

Validate Workflow

Common Failure Scenarios

Issue

Cause

Cannot Activate Role

User Not Eligible

MFA Failure

MFA Not Configured

Approval Stuck

No Approver Configured

Activation Denied

Conditional Access

Role Missing

Assignment Expired

No Access after Activation

Token Refresh Required

 

Enterprise Best Practice
Use: Eligible Assignments for Privileged Roles
Avoid: Permanent Active Assignments

Recommended for:
Global Administrator
Owner
Contributor
User Access Administrator
Security Administrator
Conditional Access Administrator
Exchange Administrator
Intune Administrator
This is the standard enterprise JIT privileged access validation workflow for Microsoft Entra PIM.

Expected Result:
User Sees Eligible Role.
User is Prompted for MFA.
Users must Enter Justification.
Role Activates Successfully.
Role Expires Automatically.

Test 2: Approval Workflow
Validate that approval is required for sensitive roles.

Expected Result:
User Requests Activation.
Approver Receives Notification.
Role Does Not Activate Until Approved.
Audit Log Records Request and Approval.

Test 3: Activation Expiration
Activate a role with a short duration.

Expected Result:
Role Becomes Active.
Role Expires at the Configured Time.
User Loses Privileged Access Automatically.

Test 4: MFA Enforcement
Attempt Activation without satisfying MFA.
Expected result: Activation is blocked until MFA is completed.

Test 5: Justification Requirement
Attempt activation without justification.
Expected result: Activation is blocked.

Test 6: Azure Resource Role Activation
Assign a user as an eligible Owner or Contributor on a Test Resource Group.

Expected Result:
User Activates Role.
User Gains Access Only at the Configured Scope.
Access Expires Automatically.

Test 7: PIM for Groups
Assign a User as an Eligible Member of a Privileged Group.

Expected Result:
User Activates Group Membership.
Group-Based Permissions Become Available.
Membership Expires Automatically.

Test 8: Audit Log Review
Review of PIM Audit History.

Expected Result:
Activation Events are Visible.
Approval Events are Visible.
Assignment Changes are Visible.
Expiration Events are Visible.

7. Deployment Validation Checklist
PIM licensing confirmed.
MFA enabled for privileged users.
Break-glass accounts created.
Existing privileged roles reviewed.
Unnecessary permanent roles removed.
Role settings configured.
Eligible assignments are created.
Approval workflow configured.
Notifications enabled.
Azure resource roles onboarded.
PIM for Groups configured where required.
Access reviews scheduled.
Audit logging validated.
Test activations completed.
Security team notified.
Operational process documented.

8. Recommended Production Baseline
For High-Risk Roles:
Assignment Type: Eligible
Activation Duration: 1 to 2 hours
MFA Required: Yes
Justification Required: Yes
Approval Required: Yes
Ticket Number Required: Yes
Permanent Active Assignment: No
Access Review: Monthly

For Medium-Risk Roles:
Assignment Type: Eligible
Activation Duration: 2 to 4 hours
MFA Required: Yes
Justification Required: Yes
Approval Required: Optional
Access Review: Quarterly

For Low-Risk Administrative Roles:
Assignment Type: Eligible
Activation Duration: 4 To 8 Hours
MFA Required: Yes
Justification Required: Yes
Access Review: Quarterly

0 comments

Leave a comment

Please note, comments need to be approved before they are published.