PA-04: Enabling PIM for All Privileged Roles
Overview
This guide walks you through implementing Privileged Identity Management (PIM) for all privileged administrative roles in your tenant, not just Global Administrator. After implementation, all privileged access will be just-in-time, requiring explicit activation with justification, time limits, and optional approval workflows.
Why This Matters: Global Administrator is just one of many powerful roles. Roles like Privileged Role Administrator, Exchange Administrator, and User Administrator also carry significant risk. PIM ensures all privileged access is time-bound and auditable, reducing the attack surface across your entire admin population.
Prerequisites
| Requirement | Details |
|---|---|
| Role Required | Global Administrator or Privileged Role Administrator |
| License Required | Microsoft Entra ID P2 for all users with eligible role assignments |
| Access | Microsoft Entra admin center |
| Completed Prerequisites | PA-03: Emergency access accounts must exist before starting |
Time Estimate
60-90 minutes for initial implementation, plus ongoing time for each role configuration
- Planning and inventory: 15 minutes
- Converting Global Admin (if not done): 15 minutes
- Converting other critical roles: 30-45 minutes
- Configuring role settings: 15-20 minutes
- Testing and documentation: 15 minutes
Roles to Enable for PIM
Tier 1: Critical Roles (Require approval for activation)
| Role | Risk Level | Why Critical |
|---|---|---|
| Global Administrator | Highest | Full tenant control |
| Privileged Role Administrator | Highest | Can grant any role to anyone |
| Privileged Authentication Administrator | Critical | Can reset any MFA/password |
| Security Administrator | High | Broad security control |
| Exchange Administrator | High | Full mailbox access |
| SharePoint Administrator | High | All file/site access |
Tier 2: High-Risk Roles (MFA + justification required)
| Role | Risk Level | Why High Risk |
|---|---|---|
| User Administrator | High | Can create/modify all users |
| Application Administrator | High | Can modify any app registration |
| Cloud Application Administrator | High | Enterprise app management |
| Intune Administrator | High | Device management control |
| Authentication Administrator | Medium-High | Password resets |
| Groups Administrator | Medium | Group membership changes |
Tier 3: Moderate-Risk Roles (Justification required)
| Role | Risk Level | Notes |
|---|---|---|
| Helpdesk Administrator | Medium | Limited password reset |
| License Administrator | Medium | License assignment |
| Reports Reader | Low-Medium | Audit log access |
| Directory Readers | Low | Read-only access |
Step-by-Step Instructions
Step 1: Inventory Current Privileged Role Assignments
- Navigate to entra.microsoft.com
- Go to Identity > Roles & administrators > Roles
- Click Download roles and assignments
- Save the export for reference
Create a working list:
| Role Name | Current Active Assignments | Already Using PIM? | Priority |
|---|---|---|---|
| Global Administrator | [Count] | Yes/No | Tier 1 |
| Privileged Role Administrator | [Count] | Yes/No | Tier 1 |
| ... | ... | ... | ... |
Step 2: Configure PIM Settings for Tier 1 Roles
Start with the highest-risk roles and configure PIM settings before converting assignments.
For Global Administrator:
- Go to Identity governance > Privileged Identity Management
- Click Microsoft Entra roles
- Click Roles and select Global Administrator
- Click Role settings (or Settings)
- Click Edit
Configure the Activation tab:
| Setting | Recommended Value |
|---|---|
| Activation maximum duration | 4-8 hours |
| On activation, require Azure MFA | Yes (Required) |
| Require justification on activation | Yes |
| Require ticket information on activation | Optional (enable if you use ITSM) |
| Require approval to activate | Yes for Global Admin |
If requiring approval, click Select approvers:
- Add 2-3 trusted senior admins or security personnel
- These users will receive activation requests
Configure the Assignment tab:
| Setting | Recommended Value |
|---|---|
| Allow permanent eligible assignment | Yes |
| Expire eligible assignments after | Never (or 365 days for contractors) |
| Allow permanent active assignment | Only for emergency access accounts |
| Expire active assignments after | 8 hours |
| Require Azure MFA on active assignment | Yes |
| Require justification on active assignment | Yes |
Configure the Notification tab:
| Notification Type | Recipients |
|---|---|
| Send notifications when members are assigned as eligible | Security team |
| Send notifications when members are assigned as active | Security team |
| Send notifications when eligible members activate | Security team |
- Click Update
Repeat for other Tier 1 roles, adjusting settings as appropriate:
| Role | Approval Required? | Max Duration | Notes |
|---|---|---|---|
| Privileged Role Administrator | Yes | 4 hours | Very sensitive |
| Privileged Authentication Administrator | Yes | 4 hours | Can reset any creds |
| Security Administrator | Yes | 8 hours | Broad access |
| Exchange Administrator | Optional | 8 hours | Email sensitivity |
| SharePoint Administrator | Optional | 8 hours | File access |
Step 3: Configure PIM Settings for Tier 2 Roles
For Tier 2 roles, approval may be optional but MFA and justification should be required:
- Navigate to each role in PIM > Microsoft Entra roles > Roles
- Click Role settings > Edit
- Configure:
| Setting | Tier 2 Recommendation |
|---|---|
| Activation maximum duration | 8 hours |
| Require Azure MFA | Yes |
| Require justification | Yes |
| Require approval | Optional (organization-specific) |
- Click Update
Step 4: Convert Active Assignments to Eligible
Now convert existing permanent (active) assignments to eligible:
For each role, starting with Tier 1:
- Go to Roles & administrators > click the role name
- Click the Assignments tab
- In the Active assignments section, identify users to convert
For each user (except emergency access accounts):
- Click ... next to the user
- Click Remove to remove the active assignment
- Click + Add assignments
- Click Select member(s) and select the same user
- Click Next
- Select Eligible as the assignment type
- Configure eligibility duration (typically Permanently eligible)
- Click Assign
Important: Keep emergency access accounts as permanently active - do NOT convert these to eligible.
Step 5: Handle Group-Based Role Assignments
If roles are assigned to groups, you have two options:
Option A: Convert to PIM for Groups (Recommended)
- Go to Identity governance > Privileged Identity Management
- Click Groups
- Find or create the group assigned to the role
- Click the group, then Settings
- Configure member and owner eligibility requirements
- Users will now need to activate group membership
Option B: Replace with Individual Assignments
- Document current group members
- Remove the group from the role
- Add each member individually as eligible
Step 6: Configure PIM for Service Principals (If Applicable)
If you have service principals with privileged roles:
- Evaluate if the role is truly needed
- Consider using managed identities with scoped permissions instead
- If the role is required, document the business justification
- Service principals typically need active (not eligible) assignments
- Set an expiration date for the assignment
Step 7: Test Activation Workflow
Have each affected user test the activation process:
- User navigates to entra.microsoft.com > Identity governance > Privileged Identity Management
- Click My roles
- Find their eligible role under Microsoft Entra roles
- Click Activate
- Select duration (up to the maximum configured)
- Enter justification
- Complete MFA challenge
- If approval required, wait for approval
As an approver, test the approval workflow:
- Navigate to Privileged Identity Management > Approve requests
- Review pending requests
- Approve or deny with reason
Step 8: Document the Implementation
Create documentation for your team:
## PIM Implementation Summary - [Date]
### Roles Enabled for PIM
| Role | Approval Required | Max Duration | Approvers |
|------|------------------|--------------|-----------|
| Global Administrator | Yes | 4 hours | [Names] |
| Privileged Role Administrator | Yes | 4 hours | [Names] |
| Security Administrator | Yes | 8 hours | [Names] |
| Exchange Administrator | No | 8 hours | N/A |
| [Continue for all roles...] | | | |
### Exceptions (Permanent Active Assignments)
| Account | Role | Justification |
|---------|------|---------------|
| emergency.access.1@domain.onmicrosoft.com | Global Admin | Emergency access |
| emergency.access.2@domain.onmicrosoft.com | Global Admin | Emergency access |
| [service principal, if any] | [role] | [justification] |
### User Communication
- All affected users notified on [date]
- Training provided on [date]
- Documentation shared at [location]
Verification Checklist
- All Tier 1 (critical) roles are configured in PIM with approval required
- All Tier 2 (high-risk) roles are configured in PIM with MFA and justification
- All Tier 3 (moderate-risk) roles are configured in PIM
- No permanent active assignments exist except emergency access accounts
- Approval workflows are tested and working
- Notification settings are configured for security team
- All affected users have tested activation successfully
- Documentation is complete and stored
- Monitoring is in place for activation events
Troubleshooting
"User can't find their eligible roles in PIM"
- Verify the user has an Entra ID P2 license assigned
- Check that the eligible assignment was created correctly:
- Go to the role > Assignments > Eligible assignments
- Verify user is listed
- Check eligibility dates haven't expired
- Have user clear browser cache and try again
"Activation requests aren't being received by approvers"
- Verify approvers are correctly configured in role settings
- Check approvers have P2 licenses
- Verify notification settings are enabled
- Check spam/junk folders for approval emails
- Approvers can also check PIM > Approve requests directly
"Approval is taking too long and user needs access now"
Options:
- Any configured approver can approve in PIM > Approve requests
- A Global Admin can grant a temporary active assignment (with documented justification)
- Review if the role truly requires approval, or if MFA + justification is sufficient
"I accidentally removed an emergency account's active assignment"
- Immediately go to Roles & administrators > Global Administrator
- Click + Add assignments
- Select the emergency access account
- Assign as Active with Permanently assigned
- Document the incident
"Users are activating roles too frequently"
- Review if the activation duration is too short
- Consider extending from 4 hours to 8 hours
- Evaluate if users actually need the role or if a less-privileged role suffices
- Consider group-based access for recurring needs
Cost Considerations
| Component | Cost Impact |
|---|---|
| Entra ID P2 Licenses | Required for all users with eligible role assignments. ~$9/user/month standalone, or included in M365 E5/EMS E5 |
| License Calculation | Count users in eligible assignments across all roles (each user only needs one license) |
License Optimization Tips:
- Only assign P2 to users with PIM-eligible roles
- Use security groups to manage license assignment
- Consider P2 only for IT/admin staff, not all users
Example calculation:
- 5 Global Admin eligible users
- 10 User Admin eligible users (3 overlap with GA)
- 8 Exchange Admin eligible users (5 overlap)
- Unique users: 15 = 15 x $9 = $135/month
Related Controls
- PA-01: Standing Global Admin - Specific guide for Global Admin conversion
- PA-02: Privileged Role Review - Ongoing governance of role assignments
- PA-05: Phishing-Resistant MFA - Strengthen MFA for activation
- PA-06: Hardware Security Keys - FIDO2 keys for privileged users