PA-04CriticalEnhanced Security

Require PIM for All Privileged Roles

Privileged Access control for Microsoft 365 and Entra ID

Why This Control Matters

PIM enforces just-in-time access with audit trails. Instead of "always admin," users activate roles when needed, provide justification, and get approval for sensitive roles. This reduces risk and creates accountability.

Expected State

When this control is compliant, your tenant should meet these criteria:

1All privileged roles use PIM eligible assignments (not permanent)
2Maximum activation duration is 8 hours or less
3Justification is required for every activation
4Global Admin, Privileged Role Admin, and Security Admin require approval

Enforcement

Default Mode

Auto-Remediate

Automatically fixes deviations when safe to do so

Auto-Remediation

Available

Converts permanent role assignments to PIM eligible

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.