Browse all topics
All guidesGlossary
Microsoft Entra (Identity)

Entra ID Privileged Identity Management

PIM turns standing admin access into just-in-time, approval-gated activation. Here's the model.

Privileged Identity Management (PIM) is the Entra ID feature that turns standing admin role assignments into just-in-time, time-bound activations. Instead of being a Global Administrator 24/7, an eligible admin requests activation when they need the role, gets it for a defined window, then loses it again.

Why PIM matters

Standing admin access is a permanent attack surface. If a Global Admin's credentials are phished, the attacker is a Global Admin. With PIM:

  • The role is eligible, not active.
  • Activation requires the user to prove identity with MFA at activation time, even if they signed in earlier.
  • Activation is time-bound — typically 1 to 8 hours.
  • Activation can require justification text, approval, or ticket reference.
  • Every activation is logged and surfaces in audit reports.

When credentials are compromised, the attacker has whatever non-privileged access the user normally has — not the keys to the tenant.

What PIM covers

PIM manages:

  • Entra ID roles — Global Administrator, User Administrator, Exchange Administrator, and dozens more.
  • Azure resource roles — Owner, Contributor, etc., scoped to subscriptions, resource groups, or resources.
  • Microsoft 365 admin roles that flow from Entra ID role assignments.
  • PIM for Groups — eligibility for membership in security groups (which can then gate role-based access in apps).

Eligibility, active, and PIM roles

  • Eligible — the user can activate. Nothing is granted until they do.
  • Active — the user holds the role right now, either via direct assignment or after activation.
  • Permanent vs time-bound — even active assignments can have an end date.

Best practice: make almost every admin assignment Eligible, never Active. Reserve Permanent Active for break-glass accounts.

Access reviews

PIM also drives access reviews for privileged roles — periodic prompts to confirm whether a user still needs the role. Combined with PIM, this catches the slow drift where someone gets a role for one project and keeps it for years.

Licensing

PIM requires Entra ID P2, included with Microsoft 365 E5 and Entra ID Governance SKUs. For tenants on E3, PIM is one of the most common reasons to add an E5 step-up SKU for the admin team.

Practical rollout

  1. Identify standing admins. Move them to Eligible.
  2. Configure MFA at activation and maximum duration per role.
  3. Add approval requirements for the most powerful roles (Global Admin, Privileged Role Administrator).
  4. Set up access reviews quarterly for each privileged role.
  5. Document the break-glass accounts and their exclusions.

PIM is straightforward to deploy and pays back the work immediately. It's the difference between "we trust everyone" and "we trust the process."