Microsoft Entra ID PIM: Complete Privileged Identity Management Setup Guide
Privileged Identity Management (PIM) in Microsoft Entra ID implements just-in-time access for admin roles. This guide covers setup, approval workflows, access reviews, and integration with your zero trust strategy.
The Problem PIM Solves
Standing privileges are a top attack vector. When a Global Administrator account is always active 24/7, it is always at risk. If the account is phished or the device is compromised, the attacker immediately has Global Admin access.
Privileged Identity Management (PIM) changes this model. Instead of permanent role assignments, PIM enables just-in-time (JIT) access: users are *eligible* for privileged roles but must request and activate them when needed, for a limited time window.
An attacker compromising a PIM-protected account gets no privileged access. They need to trigger an activation request requiring MFA, manager approval, and leaving a full audit trail.
For a complete picture of Microsoft Entra identity governance, pair PIM with [Conditional Access policies](/blog/microsoft-entra-id-conditional-access-setup), which control where and how activation requests are allowed, for example blocking activation from non-compliant devices or risky sign-in locations.
Prerequisites and Licensing
License: Microsoft Entra ID P2 (included in Microsoft 365 E3/E5 or EMS E3/E5)
You do not need P2 for every user; only users who are *eligible* or *active* in PIM need a P2 license.
What PIM Covers
| Type | What It Protects |
|---|---|
| **Entra ID roles** | Global Admin, Security Admin, User Admin, Exchange Admin |
| **Azure resource roles** | Subscription Owner, Contributor, Key Vault Administrator |
| **Groups** | Any Entra ID security group for downstream access |
Setting Up PIM: Step-by-Step
Step 1: Navigate to PIM
Azure Portal -> Microsoft Entra ID -> Identity Governance -> Privileged Identity ManagementStep 2: Configure Role Settings
For Global Administrator:
PIM -> Entra ID Roles -> Settings -> Global Administrator -> Edit
Activation:
Duration: 4 hours
Require Azure MFA: Yes
Require justification: Yes
Require approval: Yes (at least 2 approvers)
Assignment:
Allow permanent eligible: No (max 12 months)
Allow permanent active: No (break-glass accounts only)
Notifications:
Notify when role is activated: Yes
Notify approvers when pending: YesStep 3: Convert Permanent Assignments to Eligible
For each current permanent admin:
- Remove their permanent (Active) assignment
- Add them as Eligible for the same role with 12-month expiration
Keep 1-2 break-glass accounts with permanent Global Admin - hardware FIDO2 keys, stored securely, alert on every sign-in.
Step 4: The Activation Experience
When an admin needs elevated access:
- Go to PIM -> My roles -> Click Activate
- Enter justification (e.g., "Configuring user onboarding automation - INC-4521")
- Complete MFA challenge
- Wait for approval (typically 5-15 minutes)
- Role expires automatically after configured duration
Access Reviews: Keeping Assignments Clean
PIM -> Access Reviews -> New access review
Name: Quarterly Global Admin PIM Review
Scope: Global Administrator role members
Reviewers: Managers of eligible members
Duration: 14 days
Recurrence: Quarterly
Auto-apply: Yes (no response = remove access)Managers receive quarterly emails to confirm their reports still need eligibility. No response = automatic removal.
Key Alerts to Monitor
| Alert | Action Required |
|---|---|
| Roles don't require MFA on activation | Fix immediately - critical gap |
| Administrators aren't using PIM | Convert permanent assignments to eligible |
| Potential stale accounts in privileged role | Trigger immediate Access Review |
Route PIM audit logs to Sentinel. Build detection rules for: activations outside business hours, unusual justification text, repeated failed activation attempts.
Strengthening with Conditional Access
Require a compliant device for all PIM activations:
Conditional Access policy:
Users: Admins eligible for tier-0 roles
Cloud apps: Microsoft Azure Management
Grant: Require compliant device AND MFAThree independent barriers: compliant device + MFA + PIM activation request with approval.
Common Mistakes
- Activation too short: 1-hour windows frustrate admins on long tasks. 4-8 hours is usually right.
- Insufficient approvers: Configure 2-3 approvers per critical role. One unavailable approver blocks emergency work.
- Skipping notifications: Route PIM alerts to a Teams channel, not just email that can be missed.
- No Access Reviews: Without quarterly cleanup, eligible assignments accumulate indefinitely.
Measuring PIM Effectiveness
Track monthly:
- Eligible vs. active assignment ratio (target: over 90% eligible for tier-0 roles)
- PIM activation rate (low rate may indicate unneeded eligible assignments)
- Access Review completion rate (target: over 95% reviewed)
PIM is one of the highest-ROI identity security controls available. If you have Entra ID P2 and are not using PIM for tier-0 roles today, this is the place to start.
Microsoft Cloud Solution Architect
Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.
Questions & Answers
Related Articles
Eliminate Your Domain Controller: A Practical Guide to Migrating to Microsoft Entra ID with Minimum Risk and Downtime
32 min read
Conditional Access for Workload Identities: How to Protect Service Principals in Microsoft Entra ID
16 min read
How to Block Downloads from Unmanaged Devices with Defender for Cloud Apps and Conditional Access
18 min read
Need Help with Your Security?
Our team of security experts can help you implement the strategies discussed in this article.
Contact Us