Skip to main content

Microsoft Entra PIM Best Practices

Audience: Security administrators, platform engineers, IT admins

Purpose: Configure and use PIM to enforce least-privilege access while minimizing elevation fatigue

ResourceDescription
Entra Portal - PIMPIM activation page
My RolesView and activate eligible roles
PIM DocumentationMicrosoft documentation

Overview

Microsoft Entra Privileged Identity Management (PIM) enables just-in-time (JIT) access for privileged roles. Instead of permanent admin assignments, users are made eligible for roles and activate them on demand for a limited time.

Key Benefits

BenefitDescription
Least PrivilegeNo standing admin rights
Audit TrailAll activations logged with justification
Approval WorkflowOptional approval for sensitive roles
Time-BoundAccess automatically expires
MFA EnforcementRequire MFA at activation

Eligible vs. Active Assignments

TypeDescriptionUse Case
EligibleUser must activate to gain accessAll regular admin roles
ActiveUser has standing accessBreak-glass accounts only
Best Practice

Aim for zero permanent active assignments for sensitive roles, except for break-glass emergency accounts.

Role Assignment Approaches

Approach 1: Group Eligible for Role

The recommended approach for most scenarios:

  1. Create a role-assignable group
  2. Assign the group as Eligible to the role
  3. Add users as permanent members of the group
  4. Users individually activate the role via PIM

Advantages:

  • Immediate role enforcement (critical for M365 services)
  • Simple activation workflow
  • Clear audit trail per user

Use for: Exchange Admin, SharePoint Admin, Purview roles, and any role requiring immediate access

Approach 2: PIM-Controlled Group Membership

For bundling multiple roles under one activation:

  1. Create a role-assignable group
  2. Assign the group as Active to multiple roles
  3. Enable the group in PIM for Groups
  4. Users activate group membership to gain all roles

Advantages:

  • Single activation grants multiple roles
  • Reduces "elevation fatigue" for common role bundles
  • Additional approval layer for the group

Use for: Helpdesk bundle (User Admin + Password Admin + Helpdesk Admin)

Potential Delays

Group membership changes may take time to propagate to external services. Use Approach 1 for roles that require immediate enforcement.

Configuration Guide

Prerequisites

RequirementDetails
LicenseEntra ID P2 or Entra ID Governance
RolePrivileged Role Administrator or Global Administrator
UsersAll eligible users must be licensed

Step 1: Create Role-Assignable Group

  1. Navigate to Entra ID → Groups → New group
  2. Set Group type: Security
  3. Enable: Microsoft Entra roles can be assigned to the groupYes
  4. Set Membership type: Assigned (not Dynamic)
  5. Name following convention: RAG - [Purpose]
Cannot Be Changed Later

The role-assignable setting is permanent and must be set at creation. You cannot convert existing groups.

Step 2: Assign Group to Role

For Approach 1 (Group eligible for role):

  1. Navigate to Entra ID → Roles and administrators
  2. Select the target role
  3. Click Add assignments
  4. Select your role-assignable group
  5. Set Assignment type: Eligible
  6. Configure duration and expiration

For Approach 2 (PIM for group membership):

  1. Navigate to Privileged Identity Management → Groups
  2. Click Discover groups and select your group
  3. Configure eligible member settings

Step 3: Configure Role Settings

  1. Navigate to PIM → Entra roles → Settings
  2. Select the role to configure
  3. Configure:
SettingRecommendation
Activation maximum duration4-8 hours for most roles
Require MFAYes
Require justificationYes
Require approvalYes for highly privileged roles
ApproversSecurity team or role owners

Step 4: Add Users to Group

  1. Navigate to your role-assignable group
  2. Add users as Members
  3. Users will now see the role as Eligible in PIM

User Activation Process

Activating a Role

  1. Navigate to My Roles
  2. Find the eligible role and click Activate
  3. Specify duration (up to maximum allowed)
  4. Enter justification (e.g., "Troubleshooting Exchange mailbox issue - Ticket #12345")
  5. Complete MFA if prompted
  6. If approval required, wait for approver response

Checking Active Roles

  1. Navigate to My Roles → Active assignments
  2. View currently active roles and expiration times
  3. Deactivate early if no longer needed

Best Practices Summary

Do

  • ✅ Use role-assignable groups for all role assignments
  • ✅ Require MFA and justification for all activations
  • ✅ Require approval for Global Admin, Privileged Role Admin
  • ✅ Set appropriate activation durations (4-8 hours typical)
  • ✅ Maintain two break-glass accounts outside PIM
  • ✅ Review eligible assignments quarterly

Don't

  • ❌ Assign roles permanently (except break-glass)
  • ❌ Use non-role-assignable groups for role assignment
  • ❌ Mix Approach 1 and 2 for the same role/group
  • ❌ Nest role-assignable groups
  • ❌ Set activation durations longer than necessary

Example Architecture

GroupRolesApproachNotes
RAG - Helpdesk AdminsHelpdesk Admin, Password Admin, User AdminApproach 2Bundle reduces multiple activations
RAG - Exchange AdminsExchange AdministratorApproach 1Immediate access required
RAG - SharePoint AdminsSharePoint AdministratorApproach 1M365 service integration
RAG - Global AdminsGlobal AdministratorApproach 1Requires approval

Troubleshooting

IssueResolution
Role not appearing in My RolesVerify group membership; check license assignment
Activation failsCheck MFA status; verify approver availability
Access not working after activationWait 5-10 minutes for propagation; sign out and back in
Cannot see Discover Groups optionVerify Privileged Role Administrator role