PA-04: Require PIM for All Privileged Roles
Frequently asked questions about implementing and managing the PA-04 security control in Microsoft 365 and Entra ID.
QWhat is PA-04 (Require PIM for All Privileged Roles)?▼
PA-04 is a security control that pim enforces just-in-time access with audit trails. instead of "always admin," users activate roles when needed, provide justification, and get approval for sensitive roles. this reduces risk and creates accountability. It requires that all privileged roles use pim eligible assignments (not permanent) and maximum activation duration is 8 hours or less, justification is required for every activation, global admin, privileged role admin, and security admin require approval.
QWhy is Require PIM for All Privileged Roles important for Microsoft 365 security?▼
PIM enforces just-in-time access with audit trails. Instead of "always admin," users activate roles when needed, provide justification, and get approval for sensitive roles. This reduces risk and creates accountability.
QHow do I implement PA-04 in my tenant?▼
Converts permanent role assignments to PIM eligible
QWhat license do I need for PA-04?▼
This control requires Azure AD Premium P2 (included in Microsoft 365 E5) or standalone P2.
QWhich security baseline includes PA-04?▼
PA-04 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.
QWhy is PA-04 marked as critical severity?▼
PA-04 is rated critical because failure to implement this control significantly increases the risk of security incidents. PIM enforces just-in-time access with audit trails. Instead of "always admin," users activate roles when needed, provide justification, and get approval for sensitive roles. This reduces risk and creates accountability.
6
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial