Back to Blog
Guides
10 min read

Privileged Identity Management Setup: A Practical Guide for Mid-Sized Companies

Your Global Admin account has full access to everything in your Microsoft 365 environment, 24/7. Learn how to implement Privileged Identity Management (PIM) to reduce risk with just-in-time access—no dedicated security team required.

Nikolai Poverud

Founder & CEO

·January 23, 2026

Your Global Admin account has full access to everything in your Microsoft 365 environment, 24 hours a day, 7 days a week. So does your Exchange Admin. And your SharePoint Admin. Right now, those standing privileges represent your biggest security blind spot.

According to Forrester Research, privileged accounts are involved in 74% of network breaches. For mid-sized companies running Microsoft 365, this statistic should be a wake-up call. The good news? Microsoft provides a powerful tool to address this risk: Privileged Identity Management (PIM) in Microsoft Entra ID.

This guide walks you through privileged identity management setup specifically designed for IT teams at companies with 100-1000 employees. You do not need a dedicated security team or enterprise-level resources to implement PIM effectively. You need the right approach.

What Is Privileged Identity Management and Why Your Organization Needs It

Privileged Identity Management is a service in Microsoft Entra ID that controls, monitors, and audits access to important resources across your Microsoft 365 environment. Think of it as the difference between giving someone a permanent master key to your building versus giving them a temporary badge that works only when they need it.

PIM operates on a simple but powerful principle: just-in-time access. Instead of users having administrative privileges around the clock, they request elevated access only when needed. That access automatically expires after a set period.

The Problem with Standing Privileges

Most mid-sized organizations have a handful of IT staff with permanent admin roles. Maybe your IT Director has Global Admin access. Your help desk lead has User Admin rights. Your Microsoft 365 specialist has Exchange Admin and SharePoint Admin assigned.

These standing privileges create risk in three ways:

  1. Expanded attack surface: If any of these accounts is compromised through phishing or credential theft, attackers immediately gain administrative access
  2. Accidental damage: Permanent access increases the chance of unintended configuration changes
  3. Compliance gaps: Many frameworks (SOC 2, ISO 27001, NIST) require least-privilege access controls

Why Mid-Sized Companies Are Especially Vulnerable

SMBs often operate with limited IT resources, making them attractive targets for cyberattacks. You likely do not have a Security Operations Center monitoring for suspicious privilege escalations. You probably cannot dedicate someone full-time to identity governance. PIM helps close this gap by automating the controls that larger enterprises implement with dedicated staff.

Prerequisites: What You Need Before Starting

Before diving into privileged identity management setup, confirm you have the following:

Licensing: PIM requires Microsoft Entra ID P2 or Microsoft Entra ID Governance licenses. If you have Microsoft 365 E5, you are covered. E3 customers need to add Entra ID P2.

Current Admin Access: You need Global Administrator or Privileged Role Administrator to configure PIM.

Inventory of Privileged Accounts: Before configuring anything, document who currently has what roles. You will need this baseline.

Step-by-Step: Privileged Identity Management Setup in Microsoft Entra ID

Step 1: Access PIM and Run Discovery

Navigate to the Microsoft Entra admin center and select Identity governance > Privileged Identity Management.

Start with the Discovery and insights feature. This analyzes your current privileged role assignments and shows you:

  • How many users have permanent (active) assignments
  • Which roles have the most assignments
  • Recommendations for converting to eligible access

This baseline is critical. You cannot improve what you have not measured.

Step 2: Configure Role Settings for High-Privilege Roles

Start with your highest-risk roles: Global Administrator, Exchange Administrator, SharePoint Administrator, and Security Administrator.

For each role, navigate to Microsoft Entra roles > Roles > select the role > Settings.

Configure these key settings:

Activation maximum duration: Set how long elevated access lasts. For most administrative tasks, 4-8 hours is sufficient. Microsoft defaults to 8 hours. Avoid setting this to 24 hours unless absolutely necessary.

Require MFA on activation: Enable this. Microsoft studies show accounts are 99.9% less likely to be compromised when using MFA. Even if users have MFA on their base account, requiring it again at activation ensures a stolen session token cannot be used to escalate privileges.

Require justification: Enable this setting. It creates an audit trail of why access was needed, which is valuable for compliance and incident investigation.

Require approval for activation: For Global Administrator, strongly consider requiring approval. For other roles, this may slow down legitimate work too much. Evaluate based on your risk tolerance.

Step 3: Convert Permanent Assignments to Eligible

This is where the security improvement happens. PIM supports two assignment types:

  • Active: Immediate, always-on access (the current state for most organizations)
  • Eligible: User must activate the role before using it

For each privileged user, change their assignment from Active to Eligible. In the Entra admin center:

  1. Go to Privileged Identity Management > Microsoft Entra roles
  2. Select Assignments
  3. For each Active assignment, select the user and choose Update
  4. Change the assignment type to Eligible
  5. Set the assignment duration (or leave as permanent eligibility)

Important: Keep at least two accounts with permanent Global Administrator access for break-glass emergency scenarios. Store these credentials securely and monitor them closely.

Step 4: Set Up Notifications and Alerts

Configure notifications so you know when privileged access is activated. Under Settings for each role, configure:

  • Email notifications when eligible members activate the role
  • Notifications to specific administrators when any role is activated
  • Weekly digest of role activations

This visibility is crucial for detecting unauthorized or suspicious access.

Step 5: Create Your First Access Review

Access reviews ensure eligible assignments stay current. Navigate to Identity Governance > Access reviews and create a review for your privileged roles.

For mid-sized teams, a quarterly review cadence works well. Assign the review to role assignees (self-review) or to a specific administrator. Reviewers confirm whether each user still needs their eligible access.

Best Practices for Resource-Constrained IT Teams

Start with High-Impact Roles

You do not need to configure every role on day one. Microsoft recommends limiting Global Administrators to fewer than five people. Start there. Add other administrative roles progressively.

Priority order:

  1. Global Administrator
  2. Privileged Role Administrator
  3. Exchange Administrator
  4. SharePoint Administrator
  5. Security Administrator
  6. User Administrator

Use PIM for Groups to Reduce Activation Fatigue

If your IT staff need multiple roles for their work, PIM for Groups simplifies the experience. Create a security group, assign it to multiple roles, and make users eligible members of that group. One activation grants access to all the linked roles.

This is especially valuable for mid-sized teams where one person often wears multiple hats.

Apply Different Policies for Different Scenarios

Not all privileged access carries the same risk. Consider applying different policies based on context:

  • Internal full-time IT staff: Eligible assignments with no expiration, MFA required, no approval needed
  • External consultants: Eligible assignments that expire at contract end, MFA required, approval required
  • Break-glass accounts: Active assignments, heavily monitored, credentials stored in secure vault

Document and Communicate

Communication is critical to the success of any new service. Before enabling PIM, explain to affected users:

  • What is changing and why
  • How to activate their roles when needed
  • Who to contact if they have issues
  • The timeline for the rollout

Users accustomed to immediate access may perceive PIM as a barrier to productivity. Clear communication and training reduce resistance.

Common Mistakes and How to Avoid Them

Mistake 1: Removing All Permanent Admin Access

Every organization needs at least two break-glass accounts with permanent Global Administrator access. If PIM itself has an issue, or if your MFA provider is unavailable, you need a way in.

Solution: Maintain two break-glass accounts with strong, unique passwords stored in a physical safe or secure vault. Monitor these accounts for any sign-in activity.

Mistake 2: Setting Activation Duration Too Short

If users must reactivate every hour, they will either work around PIM or waste significant time managing access.

Solution: Set activation duration to match realistic work sessions. Four to eight hours covers most administrative tasks without excessive reactivation.

Mistake 3: Requiring Approval for Everything

Approval requirements add security but also add friction and delay. If your Exchange Admin cannot fix a mail flow issue until someone approves their access, you have created an operational problem.

Solution: Reserve approval requirements for Global Administrator and similarly powerful roles. For day-to-day administrative roles, MFA and justification provide sufficient control.

Mistake 4: Skipping the Pilot Phase

Start with a small set of users and verify that PIM behaves as expected before rolling out broadly. This catches configuration issues before they affect your entire IT team.

Solution: Select two or three IT staff members to pilot PIM for one to two weeks. Gather feedback. Adjust settings. Then expand.

Mistake 5: Setting and Forgetting

PIM is not a one-time configuration. Roles change. People change. Access requirements change.

Solution: Schedule quarterly access reviews. Review activation logs monthly. Update role settings as your environment evolves.

Measuring Success

After implementing privileged identity management setup, track these metrics:

  • Number of permanent privileged assignments: Should decrease significantly
  • Average activation duration: Indicates whether settings match actual work patterns
  • Failed activation attempts: May indicate compromised accounts or confused users
  • Access review completion rate: Ensures ongoing governance

Next Steps: Continuous Monitoring and Automation

Implementing PIM is a significant step toward Zero Trust security. But configuration drift happens. Users get added. Roles get modified. Without ongoing monitoring, your carefully configured policies can erode over time.

Consider tools that provide continuous visibility into your identity configuration. Platforms like TrueConfig monitor your Microsoft 365 environment against defined security baselines and alert you when privileged access configurations drift from your desired state.

The goal is not perfection on day one. The goal is establishing controls that reduce risk today and building visibility that maintains those controls over time.

TrueConfig provides automated privileged access monitoring as part of its Desired State Configuration platform for Microsoft 365. By continuously evaluating your tenant against your defined baseline—including PIM role assignments—TrueConfig helps you maintain the security posture you intended. Learn more

PIM
Privileged Identity Management
Microsoft Entra ID
M365 security
just-in-time access
Zero Trust

Related Articles

Guides

Microsoft Entra ID: The Complete Guide for IT Admins Who Manage Microsoft 365

Microsoft Entra ID is the identity backbone of every Microsoft 365 tenant. But most IT admins only scratch the surface. Here is what Entra ID actually does, how it fits into the broader Entra family, and which features you should be using today.

14 min read
Guides

Microsoft Entra Conditional Access: The 4-Tier Policy Framework That Works

Most Conditional Access deployments fail because of policy conflicts, admin lockouts, or gaps that leave attack vectors open. This framework organizes policies into four tiers that are secure, maintainable, and won not break your users.

9 min read
Guides

Microsoft Is Auto-Enabling Passkeys in Your Tenant Next Month. Are You Ready?

Starting March 2026, Microsoft will automatically enable passkey profiles in every Entra ID tenant. If you do nothing, your authentication configuration changes without your input. Here is what is happening, what could break, and exactly how to prepare.

9 min read