PA-04: Enabling PIM for All Privileged Roles

Overview

This guide walks you through implementing Privileged Identity Management (PIM) for all privileged administrative roles in your tenant, not just Global Administrator. After implementation, all privileged access will be just-in-time, requiring explicit activation with justification, time limits, and optional approval workflows.

Why This Matters: Global Administrator is just one of many powerful roles. Roles like Privileged Role Administrator, Exchange Administrator, and User Administrator also carry significant risk. PIM ensures all privileged access is time-bound and auditable, reducing the attack surface across your entire admin population.

Prerequisites

RequirementDetails
Role RequiredGlobal Administrator or Privileged Role Administrator
License RequiredMicrosoft Entra ID P2 for all users with eligible role assignments
AccessMicrosoft Entra admin center
Completed PrerequisitesPA-03: Emergency access accounts must exist before starting

Time Estimate

60-90 minutes for initial implementation, plus ongoing time for each role configuration

  • Planning and inventory: 15 minutes
  • Converting Global Admin (if not done): 15 minutes
  • Converting other critical roles: 30-45 minutes
  • Configuring role settings: 15-20 minutes
  • Testing and documentation: 15 minutes

Roles to Enable for PIM

Tier 1: Critical Roles (Require approval for activation)

RoleRisk LevelWhy Critical
Global AdministratorHighestFull tenant control
Privileged Role AdministratorHighestCan grant any role to anyone
Privileged Authentication AdministratorCriticalCan reset any MFA/password
Security AdministratorHighBroad security control
Exchange AdministratorHighFull mailbox access
SharePoint AdministratorHighAll file/site access

Tier 2: High-Risk Roles (MFA + justification required)

RoleRisk LevelWhy High Risk
User AdministratorHighCan create/modify all users
Application AdministratorHighCan modify any app registration
Cloud Application AdministratorHighEnterprise app management
Intune AdministratorHighDevice management control
Authentication AdministratorMedium-HighPassword resets
Groups AdministratorMediumGroup membership changes

Tier 3: Moderate-Risk Roles (Justification required)

RoleRisk LevelNotes
Helpdesk AdministratorMediumLimited password reset
License AdministratorMediumLicense assignment
Reports ReaderLow-MediumAudit log access
Directory ReadersLowRead-only access

Step-by-Step Instructions

Step 1: Inventory Current Privileged Role Assignments

  1. Navigate to entra.microsoft.com
  2. Go to Identity > Roles & administrators > Roles
  3. Click Download roles and assignments
  4. Save the export for reference

Create a working list:

Role NameCurrent Active AssignmentsAlready Using PIM?Priority
Global Administrator[Count]Yes/NoTier 1
Privileged Role Administrator[Count]Yes/NoTier 1
............

Step 2: Configure PIM Settings for Tier 1 Roles

Start with the highest-risk roles and configure PIM settings before converting assignments.

For Global Administrator:

  1. Go to Identity governance > Privileged Identity Management
  2. Click Microsoft Entra roles
  3. Click Roles and select Global Administrator
  4. Click Role settings (or Settings)
  5. Click Edit

Configure the Activation tab:

SettingRecommended Value
Activation maximum duration4-8 hours
On activation, require Azure MFAYes (Required)
Require justification on activationYes
Require ticket information on activationOptional (enable if you use ITSM)
Require approval to activateYes for Global Admin

If requiring approval, click Select approvers:

  • Add 2-3 trusted senior admins or security personnel
  • These users will receive activation requests

Configure the Assignment tab:

SettingRecommended Value
Allow permanent eligible assignmentYes
Expire eligible assignments afterNever (or 365 days for contractors)
Allow permanent active assignmentOnly for emergency access accounts
Expire active assignments after8 hours
Require Azure MFA on active assignmentYes
Require justification on active assignmentYes

Configure the Notification tab:

Notification TypeRecipients
Send notifications when members are assigned as eligibleSecurity team
Send notifications when members are assigned as activeSecurity team
Send notifications when eligible members activateSecurity team
  1. Click Update

Repeat for other Tier 1 roles, adjusting settings as appropriate:

RoleApproval Required?Max DurationNotes
Privileged Role AdministratorYes4 hoursVery sensitive
Privileged Authentication AdministratorYes4 hoursCan reset any creds
Security AdministratorYes8 hoursBroad access
Exchange AdministratorOptional8 hoursEmail sensitivity
SharePoint AdministratorOptional8 hoursFile access

Step 3: Configure PIM Settings for Tier 2 Roles

For Tier 2 roles, approval may be optional but MFA and justification should be required:

  1. Navigate to each role in PIM > Microsoft Entra roles > Roles
  2. Click Role settings > Edit
  3. Configure:
SettingTier 2 Recommendation
Activation maximum duration8 hours
Require Azure MFAYes
Require justificationYes
Require approvalOptional (organization-specific)
  1. Click Update

Step 4: Convert Active Assignments to Eligible

Now convert existing permanent (active) assignments to eligible:

For each role, starting with Tier 1:

  1. Go to Roles & administrators > click the role name
  2. Click the Assignments tab
  3. In the Active assignments section, identify users to convert

For each user (except emergency access accounts):

  1. Click ... next to the user
  2. Click Remove to remove the active assignment
  3. Click + Add assignments
  4. Click Select member(s) and select the same user
  5. Click Next
  6. Select Eligible as the assignment type
  7. Configure eligibility duration (typically Permanently eligible)
  8. Click Assign

Important: Keep emergency access accounts as permanently active - do NOT convert these to eligible.

Step 5: Handle Group-Based Role Assignments

If roles are assigned to groups, you have two options:

Option A: Convert to PIM for Groups (Recommended)

  1. Go to Identity governance > Privileged Identity Management
  2. Click Groups
  3. Find or create the group assigned to the role
  4. Click the group, then Settings
  5. Configure member and owner eligibility requirements
  6. Users will now need to activate group membership

Option B: Replace with Individual Assignments

  1. Document current group members
  2. Remove the group from the role
  3. Add each member individually as eligible

Step 6: Configure PIM for Service Principals (If Applicable)

If you have service principals with privileged roles:

  1. Evaluate if the role is truly needed
  2. Consider using managed identities with scoped permissions instead
  3. If the role is required, document the business justification
  4. Service principals typically need active (not eligible) assignments
  5. Set an expiration date for the assignment

Step 7: Test Activation Workflow

Have each affected user test the activation process:

  1. User navigates to entra.microsoft.com > Identity governance > Privileged Identity Management
  2. Click My roles
  3. Find their eligible role under Microsoft Entra roles
  4. Click Activate
  5. Select duration (up to the maximum configured)
  6. Enter justification
  7. Complete MFA challenge
  8. If approval required, wait for approval

As an approver, test the approval workflow:

  1. Navigate to Privileged Identity Management > Approve requests
  2. Review pending requests
  3. Approve or deny with reason

Step 8: Document the Implementation

Create documentation for your team:

## PIM Implementation Summary - [Date]

### Roles Enabled for PIM

| Role | Approval Required | Max Duration | Approvers |
|------|------------------|--------------|-----------|
| Global Administrator | Yes | 4 hours | [Names] |
| Privileged Role Administrator | Yes | 4 hours | [Names] |
| Security Administrator | Yes | 8 hours | [Names] |
| Exchange Administrator | No | 8 hours | N/A |
| [Continue for all roles...] | | | |

### Exceptions (Permanent Active Assignments)

| Account | Role | Justification |
|---------|------|---------------|
| emergency.access.1@domain.onmicrosoft.com | Global Admin | Emergency access |
| emergency.access.2@domain.onmicrosoft.com | Global Admin | Emergency access |
| [service principal, if any] | [role] | [justification] |

### User Communication
- All affected users notified on [date]
- Training provided on [date]
- Documentation shared at [location]

Verification Checklist

  • All Tier 1 (critical) roles are configured in PIM with approval required
  • All Tier 2 (high-risk) roles are configured in PIM with MFA and justification
  • All Tier 3 (moderate-risk) roles are configured in PIM
  • No permanent active assignments exist except emergency access accounts
  • Approval workflows are tested and working
  • Notification settings are configured for security team
  • All affected users have tested activation successfully
  • Documentation is complete and stored
  • Monitoring is in place for activation events

Troubleshooting

"User can't find their eligible roles in PIM"

  1. Verify the user has an Entra ID P2 license assigned
  2. Check that the eligible assignment was created correctly:
    • Go to the role > Assignments > Eligible assignments
    • Verify user is listed
  3. Check eligibility dates haven't expired
  4. Have user clear browser cache and try again

"Activation requests aren't being received by approvers"

  1. Verify approvers are correctly configured in role settings
  2. Check approvers have P2 licenses
  3. Verify notification settings are enabled
  4. Check spam/junk folders for approval emails
  5. Approvers can also check PIM > Approve requests directly

"Approval is taking too long and user needs access now"

Options:

  1. Any configured approver can approve in PIM > Approve requests
  2. A Global Admin can grant a temporary active assignment (with documented justification)
  3. Review if the role truly requires approval, or if MFA + justification is sufficient

"I accidentally removed an emergency account's active assignment"

  1. Immediately go to Roles & administrators > Global Administrator
  2. Click + Add assignments
  3. Select the emergency access account
  4. Assign as Active with Permanently assigned
  5. Document the incident

"Users are activating roles too frequently"

  1. Review if the activation duration is too short
  2. Consider extending from 4 hours to 8 hours
  3. Evaluate if users actually need the role or if a less-privileged role suffices
  4. Consider group-based access for recurring needs

Cost Considerations

ComponentCost Impact
Entra ID P2 LicensesRequired for all users with eligible role assignments. ~$9/user/month standalone, or included in M365 E5/EMS E5
License CalculationCount users in eligible assignments across all roles (each user only needs one license)

License Optimization Tips:

  • Only assign P2 to users with PIM-eligible roles
  • Use security groups to manage license assignment
  • Consider P2 only for IT/admin staff, not all users

Example calculation:

  • 5 Global Admin eligible users
  • 10 User Admin eligible users (3 overlap with GA)
  • 8 Exchange Admin eligible users (5 overlap)
  • Unique users: 15 = 15 x $9 = $135/month

Related Controls

Additional Resources