What is Microsoft Entra Privileged Identity Management (PIM)?

Microsoft Entra PIM is a service that manages, controls, and monitors access to privileged roles in Entra ID and Azure resources. Instead of permanently assigning admin roles (which creates persistent attack surface), PIM makes roles "eligible" — users must explicitly activate their role for a limited time window (1–8 hours) and can be required to provide MFA, a business justification, or go through an approval workflow before access is granted.

Which roles should I manage with PIM?

At minimum, apply PIM to all Entra ID tier-0 roles: Global Administrator, Privileged Role Administrator, Security Administrator, Exchange Administrator, and SharePoint Administrator. Also apply PIM to Azure subscription Owner and Contributor roles. Any role that can modify identity, access policies, or production data qualifies. For organizations with Microsoft 365, also include Teams Administrator and Compliance Administrator. Use the PIM role discovery feature to identify all current permanent assignments.

Does PIM require Entra ID P2?

Yes. Microsoft Entra PIM requires Entra ID P2 (or Microsoft 365 E5, EMS E5) for each user who is eligible for or manages privileged roles. The license must cover both the role-eligible users and the PIM administrators who configure activation settings. Unlicensed users can still be made eligible via PIM configuration, but Microsoft recommends proper licensing for compliance and support purposes.

How do PIM access reviews work?

PIM access reviews are periodic audits of eligible and active role assignments, requiring role owners or managers to certify whether specific users still need their privileged access. You configure the review frequency (weekly, monthly, quarterly), the reviewer (role owner, user's manager, or specific reviewer), and the action if a reviewer does not respond (auto-approve or auto-deny). Reviews create a documented audit trail that satisfies SOC 2, ISO 27001, and PCI-DSS access review requirements.

Microsoft Entra ID PIM: Complete Privileged Identity Management Setup Guide

Q: What is the difference between eligible and active role assignments in PIM?

An active assignment grants the role permanently — the user has those permissions at all times without any activation step. An eligible assignment means the user can activate the role when needed, but it is not active by default. Eligible assignments are the PIM best practice for privileged roles: they enforce just-in-time access, reduce the window of exposure for compromised accounts, and create an audit trail of every activation. Permanent active assignments should be reserved for emergency access accounts only.

The Problem PIM Solves

Standing privileges are a top attack vector. When a Global Administrator account is always active 24/7, it is always at risk. If the account is phished or the device is compromised, the attacker immediately has Global Admin access.

Privileged Identity Management (PIM) changes this model. Instead of permanent role assignments, PIM enables just-in-time (JIT) access: users are *eligible* for privileged roles but must request and activate them when needed, for a limited time window.

An attacker compromising a PIM-protected account gets no privileged access. They need to trigger an activation request requiring MFA, manager approval, and leaving a full audit trail.

For a complete picture of Microsoft Entra identity governance, pair PIM with [Conditional Access policies](/blog/microsoft-entra-id-conditional-access-setup), which control where and how activation requests are allowed, for example blocking activation from non-compliant devices or risky sign-in locations.

Prerequisites and Licensing

License: Microsoft Entra ID P2 (included in Microsoft 365 E3/E5 or EMS E3/E5)

You do not need P2 for every user; only users who are *eligible* or *active* in PIM need a P2 license.

What PIM Covers

Type	What It Protects
Entra ID roles	Global Admin, Security Admin, User Admin, Exchange Admin
Azure resource roles	Subscription Owner, Contributor, Key Vault Administrator
Groups	Any Entra ID security group for downstream access

Setting Up PIM: Step-by-Step

Step 1: Navigate to PIM

Azure Portal -> Microsoft Entra ID -> Identity Governance -> Privileged Identity Management

Step 2: Configure Role Settings

For Global Administrator:

PIM -> Entra ID Roles -> Settings -> Global Administrator -> Edit

Activation:
  Duration: 4 hours
  Require Azure MFA: Yes
  Require justification: Yes
  Require approval: Yes (at least 2 approvers)

Assignment:
  Allow permanent eligible: No (max 12 months)
  Allow permanent active: No (break-glass accounts only)

Notifications:
  Notify when role is activated: Yes
  Notify approvers when pending: Yes

Step 3: Convert Permanent Assignments to Eligible

For each current permanent admin:

Remove their permanent (Active) assignment
Add them as Eligible for the same role with 12-month expiration

Keep 1-2 break-glass accounts with permanent Global Admin - hardware FIDO2 keys, stored securely, alert on every sign-in.

Step 4: The Activation Experience

When an admin needs elevated access:

Go to PIM -> My roles -> Click Activate
Enter justification (e.g., "Configuring user onboarding automation - INC-4521")
Complete MFA challenge
Wait for approval (typically 5-15 minutes)
Role expires automatically after configured duration

Access Reviews: Keeping Assignments Clean

PIM -> Access Reviews -> New access review

  Name: Quarterly Global Admin PIM Review
  Scope: Global Administrator role members
  Reviewers: Managers of eligible members
  Duration: 14 days
  Recurrence: Quarterly
  Auto-apply: Yes (no response = remove access)

Managers receive quarterly emails to confirm their reports still need eligibility. No response = automatic removal.

Key Alerts to Monitor

Alert	Action Required
Roles don't require MFA on activation	Fix immediately - critical gap
Administrators aren't using PIM	Convert permanent assignments to eligible
Potential stale accounts in privileged role	Trigger immediate Access Review

Route PIM audit logs to Sentinel. Build detection rules for: activations outside business hours, unusual justification text, repeated failed activation attempts.

Strengthening with Conditional Access

Require a compliant device for all PIM activations:

Conditional Access policy:
  Users: Admins eligible for tier-0 roles
  Cloud apps: Microsoft Azure Management
  Grant: Require compliant device AND MFA

Three independent barriers: compliant device + MFA + PIM activation request with approval.

Common Mistakes

Activation too short: 1-hour windows frustrate admins on long tasks. 4-8 hours is usually right.
Insufficient approvers: Configure 2-3 approvers per critical role. One unavailable approver blocks emergency work.
Skipping notifications: Route PIM alerts to a Teams channel, not just email that can be missed.
No Access Reviews: Without quarterly cleanup, eligible assignments accumulate indefinitely.

Measuring PIM Effectiveness

Track monthly:

Eligible vs. active assignment ratio (target: over 90% eligible for tier-0 roles)
PIM activation rate (low rate may indicate unneeded eligible assignments)
Access Review completion rate (target: over 95% reviewed)

PIM is one of the highest-ROI identity security controls available. If you have Entra ID P2 and are not using PIM for tier-0 roles today, this is the place to start.

References

[Microsoft Entra PIM documentation](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure): Official PIM configuration and setup guide
[Entra ID P2 licensing](https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing): PIM licensing requirements and tier comparison
[Entra PIM access reviews](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review): Access review configuration and scheduling
[NIST 800-53 AC-6: Least Privilege](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-6): Regulatory basis for least-privilege access control

Frequently Asked Questions

What is Microsoft Entra ID PIM?

Microsoft Entra ID Privileged Identity Management (PIM) is a service that enables just-in-time (JIT) access to privileged roles. Instead of having permanent role assignments (for example, a user always having Global Administrator), PIM makes users eligible for roles. When they need to perform an administrative task, they activate the role for a defined time window, optionally with manager approval and MFA verification. The role expires automatically, eliminating standing privileges that attackers can exploit.

What license do I need for Microsoft Entra ID PIM?

PIM requires Microsoft Entra ID P2 licensing, which is included in Microsoft 365 E5 and the Microsoft 365 E5 Security add-on. It is also available as a standalone Entra ID P2 license. Every user who is eligible for or manages a PIM-controlled role must have an Entra ID P2 license assigned. Entra ID P1 (included in M365 E3) does not include PIM.

What is the difference between eligible and active role assignments in PIM?

An eligible assignment means the user can request to activate the role when needed but does not have the role permissions continuously. An active assignment means the user has the role permissions at all times without needing to activate. PIM's core value is converting standing active assignments to eligible assignments, so privileged access is time-limited and audited rather than permanently available.

How does PIM activation work for users?

A user with an eligible role assignment goes to the Entra ID PIM portal (or myaccess.microsoft.com), selects the role they want to activate, provides a business justification, and submits the request. Depending on the role configuration, activation may require MFA verification, manager approval, or both. Once approved, the role is active for the configured duration (typically 1-8 hours), after which it expires automatically and the user must reactivate if they still need access.

What is a PIM access review and how often should I run them?

A PIM access review is a periodic audit of role assignments asking designated reviewers (typically managers or role owners) to confirm whether each user still needs their eligible or active assignment. Microsoft recommends quarterly access reviews for tier-0 roles (Global Administrator, Privileged Role Administrator, Security Administrator) and semi-annual reviews for tier-1 roles. Without access reviews, eligible assignments accumulate indefinitely as team members change roles, leave the organization, or no longer need privileged access.