Explore Privileged Identity Management in Microsoft Entra ID
Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables organizations to manage, control, and monitor access to important resources. These resources can exist in Microsoft Entra ID, Azure, and other Microsoft online services such as Microsoft 365 and Microsoft Intune.
Important
Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.
Watch a short video about PIM
Select the following link to watch a short video that introduces you to Microsoft Entra Privileged Identity Management.
Why use PIM?
Organizations want to minimize the number of people who have access to secure information or resources. Doing so reduces the chance of:
- a malicious actor getting access.
- an authorized user inadvertently impacting a sensitive resource.
Privileged Identity Management provides time-based and approval-based role activation. This feature enables organizations to mitigate the risks of excessive, unnecessary, or misused access permissions on resources they care about.
Some of the key features of PIM include:
- Provide just-in-time privileged access to Microsoft Entra ID and Azure resources.
- Assign time-bound access to resources using start and end dates.
- Require approval to activate privileged roles.
- Enforce multifactor authentication to activate any role.
- Use justification to understand why users activate.
- Get notifications when users activate privileged roles.
- Conduct access reviews to ensure users still need roles.
- Download audit history for internal or external audit.
- Prevent removal of the last active Global Administrator and Privileged Role Administrator role assignments.
Historically, organizations could assign a user to an admin role through the Microsoft Entra admin center, other Microsoft online services portals, or the Microsoft Entra cmdlets in Windows PowerShell. As a result, the user became a permanent administrator, always active in the assigned role. Along with permanent administrators, the Microsoft Entra Privileged Identity Management PIM service introduces the concept of an eligible admin.
Eligible admins are users that need privileged access periodically, but not all-day, every day. The role is inactive until the user needs access. At that point, the user must complete an activation process and become an active admin for a predetermined amount of time. More organizations are choosing to use this "just in time" approach to reduce or eliminate “standing admin access” to privileged roles.
PIM implementation
Microsoft designed Privileged Identity Management so that users are eligible for privileged roles. The following steps provide a summarized view of the workflow involved in implementing PIM:
- The organization must decide which roles to protect with PIM.
- The organization must assign eligible users to roles protected by PIM.
- When an eligible user needs to use their privileged role, they activate the role in PIM.
- Depending on the PIM settings configured for the role, the user might need to:
- Use multifactor authentication.
- Request approval for activation.
- Provide a business reason for activation.
- Once the user successfully activates their role, they get the role for a preconfigured time period.
- Administrators can view a history of all PIM activities in the audit log. They can also further secure their Microsoft Entra ID organizations and meet compliance using PIM features like access reviews and alerts.
To use PIM, you need one of the following paid or trial licenses:
- Microsoft Entra Premium P2
- Enterprise Mobility + Security (EMS) E5
Privileged Identity Management supports the following scenarios:
- Privileged Role Administrator permissions:
- Enable approval for specific roles.
- Specify approver users or groups to approve requests.
- View request and approval history for all privileged roles.
- Approver permissions:
- View pending approvals (requests).
- Approve or reject requests for role elevation (single and bulk).
- Provide justification for my approval or rejection.
- Eligible role user permissions:
- Request activation of a role that requires approval.
- View the status of your request to activate.
- Complete your task in Microsoft Entra ID once the approver approves activation.
Roles that PIM can manage
Today, you can use PIM with:
- Microsoft Entra roles. Microsoft Entra roles are also referred to as directory roles. They include built-in and custom roles to manage Microsoft Entra ID and other Microsoft 365 online services.
- Azure roles. Azure's role-based access control roles that grant access to management groups, subscriptions, resource groups, and resources.
- PIM for Groups. To set up just-in-time access to the member and owner role of a Microsoft Entra security group. PIM for Groups provides an alternative way to set up PIM for Microsoft Entra roles and Azure roles. It also allows you to set up PIM for other permissions across Microsoft online services like Intune, Azure Key Vaults, and Microsoft Entra ID Protection.
You can assign the following objects to these roles or groups:
- Users. To get just-in-time access to Microsoft Entra roles, Azure roles, and PIM for Groups.
- Groups. Anyone in a group to get just-in-time access to Microsoft Entra roles and Azure roles.
- For Microsoft Entra roles, the group must be a newly created cloud group marked as assignable to a role.
- For Azure roles, the group can be any Microsoft Entra security group.
Warning
Microsoft doesn't recommend assigning/nesting a group to a PIM for Groups.
For Microsoft Entra roles in Privileged Identity Management, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments to Microsoft Entra roles in Privileged Identity Management.
For Azure resource roles in Privileged Identity Management, only a subscription administrator, a resource Owner, or a resource User Access Administrator can manage assignments for other administrators. Users who are Privileged Role Administrators, Security Administrators, or Security Readers don't by default have access to view assignments to Azure resource roles in Privileged Identity Management.
Terminology
You should review the following terms to better understand Privileged Identity Management.
| Term or concept | Role assignment category | Description |
|---|---|---|
| eligible | Type | A role assignment that requires a user to perform one or more actions to use the role. Once an administrator makes a user eligible for a role, the user can activate the role when they need to perform privileged tasks. There's no difference in the access given to someone with a permanent role assignment versus someone with an eligible role assignment. The only difference is that the persons with an eligible role assignment don't need that access all the time. |
| active | Type | A role assignment that doesn't require a user to perform any action to use the role. Users assigned as active have the privileges assigned to the role. |
| activate | The process of performing one or more actions to use a role that a user is eligible for. Actions might include performing a multifactor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers. | |
| assigned | State | A user that has an active role assignment. |
| activated | State | A user that has an eligible role assignment, performed the actions to activate the role, and is now active. Once activated, the user can use the role for a preconfigured period of time before they need to activate again. |
| permanent eligible | Duration | A role assignment where a user is always eligible to activate the role. |
| permanent active | Duration | A role assignment where a user can always use the role without performing any actions. |
| time-bound eligible | Duration | A role assignment where a user is eligible to activate the role only within start and end dates. |
| time-bound active | Duration | A role assignment where a user can use the role only within start and end dates. |
| just-in-time (JIT) access | A model in which users receive temporary permissions to perform privileged tasks. This design prevents malicious or unauthorized users from gaining access after permissions expire. An organization only grants access when users need it. | |
| principle of least privilege access | A recommended security practice in which an organization provides every user with just the minimum privileges needed to accomplish their authorized tasks. This practice minimizes the number of Global Administrators. Instead, it uses specific administrator roles for certain scenarios. |
Type of assignments
There are two types of assignment – eligible and active. Users who are eligible for a role can activate the role when they need to perform privileged tasks.
You can also set a start and end time for each type of assignment. This addition gives you four possible types of assignments:
- Permanent eligible
- Permanent active
- Time-bound eligible, with specified start and end dates for assignment
- Time-bound active, with specified start and end dates for assignment
In case the role expires, you can extend or renew these assignments.
Tip
Microsoft recommends you keep zero permanently active assignments for roles other than the recommended two break-glass emergency access accounts, which should have the permanent Global Administrator role.
Additional reading: For more information, see the following resources:
- License requirements to use Privileged Identity Management.
- Built-in roles for Azure resources.
- Assign Microsoft Entra roles in Privileged Identity Management.
- Activate my Microsoft Entra roles in PIM.