PA-04Advanced

How to Fix: Require PIM for All Privileged Roles

Step-by-step guide to implement require pim for all privileged roles in your Microsoft 365 environment.

5-10 minutes

Estimated Time

4

Steps

critical

Severity

Enhanced Security

Baseline Level

Why This Matters

PIM enforces just-in-time access with audit trails. Instead of "always admin," users activate roles when needed, provide justification, and get approval for sensitive roles. This reduces risk and creates accountability.

Prerequisites

  • 1Global Administrator or appropriate admin role in Microsoft Entra ID
  • 2Access to Microsoft Entra admin center (entra.microsoft.com)
  • 3Microsoft Entra ID P2 license
  • 4Privileged Role Administrator role

Expected Configuration

  • All privileged roles use PIM eligible assignments (not permanent)
  • Maximum activation duration is 8 hours or less
  • Justification is required for every activation
  • Global Admin, Privileged Role Admin, and Security Admin require approval

Remediation Steps

1

Review Current State

Assess your current privileged access configuration in Entra ID.

  • Navigate to Microsoft Entra admin center
  • Go to Identity > Roles and administrators
  • Review current role assignments
2

Plan Changes

Determine what changes need to be made to meet the expected configuration.

  • Identify users with excessive privileges
  • Document required role assignments
  • Plan implementation timeline
3

Implement Configuration

Apply the necessary changes to your Entra ID environment.

  • Configure PIM if applicable
  • Update role assignments
  • Set appropriate access reviews
4

Verify and Test

Confirm the changes are working as expected.

  • Run a TrueConfig scan to verify compliance
  • Test user access with affected accounts
  • Document the changes made

Auto-Remediation Available

TrueConfig can automatically fix this control for you. Enable auto-remediation to have this configuration applied and maintained automatically.

Learn about auto-remediation

Related Resources

Control Reference

Full control documentation

FAQ

Common questions answered

Full Guide

Detailed implementation guide

Privileged Access Controls

Related security controls

Automate Your Security Configuration

TrueConfig continuously monitors your Microsoft 365 environment and can automatically fix configuration drift. Start your free trial today.

Start Free Trial
← All ControlsView Control Details →