Microsoft Entra ID PIM: Complete Privileged Identity Management Setup Guide

The Problem PIM Solves

Standing privileges are a top attack vector. When a Global Administrator account is always active 24/7, it is always at risk. If the account is phished or the device is compromised, the attacker immediately has Global Admin access.

Privileged Identity Management (PIM) changes this model. Instead of permanent role assignments, PIM enables just-in-time (JIT) access: users are *eligible* for privileged roles but must request and activate them when needed, for a limited time window.

An attacker compromising a PIM-protected account gets no privileged access. They need to trigger an activation request requiring MFA, manager approval, and leaving a full audit trail.

Prerequisites and Licensing

License: Microsoft Entra ID P2 (included in Microsoft 365 E3/E5 or EMS E3/E5)

You do not need P2 for every user - only users who are *eligible* or *active* in PIM need a P2 license.

What PIM Covers

Setting Up PIM: Step-by-Step

Step 1: Navigate to PIM

Azure Portal -> Microsoft Entra ID -> Identity Governance -> Privileged Identity Management

Step 2: Configure Role Settings

For Global Administrator:

PIM -> Entra ID Roles -> Settings -> Global Administrator -> Edit
Activation:
  Duration: 4 hours
  Require Azure MFA: Yes
  Require justification: Yes
  Require approval: Yes (at least 2 approvers)
Assignment:
  Allow permanent eligible: No (max 12 months)
  Allow permanent active: No (break-glass accounts only)
Notifications:
  Notify when role is activated: Yes
  Notify approvers when pending: Yes

Step 3: Convert Permanent Assignments to Eligible

For each current permanent admin:

1. Remove their permanent (Active) assignment
2. Add them as Eligible for the same role with 12-month expiration

Keep 1-2 break-glass accounts with permanent Global Admin - hardware FIDO2 keys, stored securely, alert on every sign-in.

Step 4: The Activation Experience

When an admin needs elevated access:

1. Go to PIM -> My roles -> Click Activate
2. Enter justification (e.g., "Configuring user onboarding automation - INC-4521")
3. Complete MFA challenge
4. Wait for approval (typically 5-15 minutes)
5. Role expires automatically after configured duration

Access Reviews: Keeping Assignments Clean

PIM -> Access Reviews -> New access review
  Name: Quarterly Global Admin PIM Review
  Scope: Global Administrator role members
  Reviewers: Managers of eligible members
  Duration: 14 days
  Recurrence: Quarterly
  Auto-apply: Yes (no response = remove access)

Managers receive quarterly emails to confirm their reports still need eligibility. No response = automatic removal.

Key Alerts to Monitor

Route PIM audit logs to Sentinel. Build detection rules for: activations outside business hours, unusual justification text, repeated failed activation attempts.

Strengthening with Conditional Access

Require a compliant device for all PIM activations:

Conditional Access policy:
  Users: Admins eligible for tier-0 roles
  Cloud apps: Microsoft Azure Management
  Grant: Require compliant device AND MFA

Three independent barriers: compliant device + MFA + PIM activation request with approval.

Common Mistakes

• Activation too short: 1-hour windows frustrate admins on long tasks. 4-8 hours is usually right.
• Insufficient approvers: Configure 2-3 approvers per critical role. One unavailable approver blocks emergency work.
• Skipping notifications: Route PIM alerts to a Teams channel, not just email that can be missed.
• No Access Reviews: Without quarterly cleanup, eligible assignments accumulate indefinitely.

Measuring PIM Effectiveness

Track monthly:

• Eligible vs. active assignment ratio (target: over 90% eligible for tier-0 roles)
• PIM activation rate (low rate may indicate unneeded eligible assignments)
• Access Review completion rate (target: over 95% reviewed)

PIM is one of the highest-ROI identity security controls available. If you have Entra ID P2 and are not using PIM for tier-0 roles today, this is the place to start.