Question on PIM Eligibility and ENTRA P2 License (Azure Lighthouse & ARM Model)

Question

Hello everyone,

I want to add multiple clients to my company’s tenant and enable eligibleAuthorizations for certain groups. The goal is to allow these groups to request role approval, while only specific higher-level groups (within my tenant, not the client one) will have the authority to approve or deny these requests.

I have a couple of questions:

Is PIM mandatory to use eligibleAuthorizations in this scenario?

• If PIM is required, does it necessarily require an ENTRA P2 license?

I appreciate any answer or official documentation you can share.

Thanks in advance for your help!

Best regards,

Morslaoui Rayane

Answer 1

Hello RAYANE MORSLAOUI,

If you want to allow certain groups to request access to roles instead of having them permanently assigned, then you must use Privileged Identity Management (PIM). Without PIM, any role assignments made through Azure Lighthouse will always be active, means users won’t need approval to access them.

Yes, you need either Enterprise Mobility + Security E5 (EMS E5) or Microsoft Entra ID P2 license to work with Privileged identity management (PIM). You can confirm that by referring this MS Article:

In short, if you don’t use PIM, the roles will always be available to the assigned users. But if you want a system where they have to request access and wait for approval, then PIM is necessary, and the relevant users will need an Entra P2 license.

Hope this helps!

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.