Expert Answer
What is Privileged Identity Management (PIM) in Microsoft Entra ID?
Quick Answer
Privileged Identity Management (PIM) is an Entra ID feature that provides just-in-time privileged access, time-limited role assignments, and approval workflows for sensitive roles. It reduces the risk of standing admin access.
Detailed Explanation
Privileged Identity Management (PIM) is a Microsoft Entra ID P2 feature that eliminates standing privileged access by making users "eligible" for roles rather than permanently assigned.
Key concepts:
- Eligible vs Active assignments:
- - Eligible: User can activate the role when needed
- - Active: Traditional permanent role assignment
- - Eligible assignments reduce the window of exposure
- Just-in-time (JIT) access:
- - Users activate roles only when needed
- - Activations have maximum time limits (typically 1-8 hours)
- - Access automatically expires after the time limit
- Approval workflows:
- - Configure roles to require approval before activation
- - Multiple approvers can be configured
- - Justification required for activation requests
- Access reviews:
- - Periodic review of who has eligible assignments
- - Remove users who no longer need access
- - Audit trail of all access decisions
- *Benefits:
- Reduced standing privilege exposure
- Audit trail of all privilege elevation
- Forced justification for access
- Automatic access expiration
- Approval workflow for sensitive roles
- *Requirements:
- Microsoft Entra ID P2 license
- Initial configuration by Global Admin
- User training on activation process
TrueConfig controls PA-04 and PA-06 help you implement and monitor PIM effectively.
Related TrueConfig Controls
Want to check your Microsoft 365 configuration?
TrueConfig scans your tenant and provides specific recommendations based on your current configuration.