PIM

Privileged Identity Management (PIM) is the Microsoft Entra ID feature that turns standing admin role assignments into just-in-time, time-bound activations. Instead of being a Global Administrator 24/7, an eligible admin requests activation when needed, with MFA, justification, and (optionally) approval; the role expires automatically. Covers Entra ID roles, Azure resource roles, and groups. Access reviews enforce periodic recertification of eligibility. Requires Entra ID P2 licensing (included with Microsoft 365 E5). The single most important control for reducing the impact of compromised admin credentials.