0
Permanent Global Admins in a mature tenant
8h
Recommended max PIM activation duration
2
Break-glass accounts required
90d
Cadence for PIM access reviews

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The default in most Entra ID tenants is permanent role assignment. An administrator is granted Global Admin once, and the assignment persists indefinitely. The cost of this default is hidden until something goes wrong: a phished session token, a stolen device, a compromised endpoint with active admin sign-in. At that point the attacker inherits not a temporary privilege but a permanent one, and the blast radius is the entire tenant.

Privileged Identity Management is Microsoft's just-in-time access model for Entra ID and Azure RBAC roles. The premise is simple: assignments are eligible rather than active by default. To use a role, the user must explicitly activate it, optionally with approval, MFA, justification, and a time limit. Standing privilege becomes the exception rather than the rule, and the attack surface shrinks by orders of magnitude.

This guide is a practical configuration walkthrough for senior identity engineers and CISOs implementing PIM properly. The configuration matters; PIM done halfway is often worse than no PIM at all because it creates the illusion of control without the substance.

What PIM Does and What It Does Not Replace

PIM is specifically for Entra ID directory roles and Azure RBAC resource roles. It governs eligibility and activation for roles like Global Admin, Privileged Role Admin, Exchange Admin, Owner on a subscription, and Contributor on a resource group. When a user is eligible for a role, the role does not appear in their effective permissions until they activate it, at which point it is added for a defined time window. After expiration, the role drops off automatically. The model assumes the user can authenticate to the tenant; PIM does not protect against credential compromise on its own, only against the consequences of compromise during the unprotected windows when no role is active. This is why MFA and Conditional Access on activation are non-negotiable. PIM is not a substitute for a privileged access management tool in the on-premises or application-level sense. CyberArk, BeyondTrust, Delinea, and equivalents handle credential vaulting, session recording, and privilege for on-prem AD, databases, network devices, and applications outside Microsoft's identity perimeter. PIM and a PAM tool complement each other: PIM governs cloud directory and RBAC roles, the PAM tool governs everything else. Conflating them produces gaps in both directions.

Configuring PIM for Entra ID Directory Roles

Start by inventorying current permanent assignments to high-impact roles: Global Administrator, Privileged Role Administrator, Conditional Access Administrator, Exchange Administrator, SharePoint Administrator, Security Administrator, Application Administrator, Cloud Application Administrator, Authentication Administrator, Privileged Authentication Administrator. For each user with permanent assignment, convert to eligible assignment via the PIM blade. Configure role settings before converting users; the settings apply at activation time and getting them wrong propagates immediately. Recommended baseline settings for Global Administrator: activation duration of 1 to 4 hours, never 8 hours unless a documented justification exists; MFA on activation, with a separate MFA prompt distinct from sign-in MFA; justification required with a minimum character count to prevent one-word entries; approval required by at least one other privileged role admin; notification on activation to a security distribution list. For other privileged roles, similar settings with role-appropriate activation durations and approval requirements. Avoid eligibility for service accounts; service principals should use managed identities or workload identity federation, not PIM eligibility. Document the configuration as code via Microsoft Graph or Terraform; the PIM portal does not show configuration history, and drift over time is the most common audit finding.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

PIM for Azure RBAC at the Resource Plane

Directory roles govern Entra ID itself; Azure RBAC roles govern Azure resources. PIM extends to Azure RBAC and the configuration model is identical but applied at the management group, subscription, or resource group scope. The high-impact roles to govern with PIM are Owner, User Access Administrator, and Contributor on subscriptions and production resource groups. Reserved Instances Administrator and Billing Reader are lower risk and can remain permanent for operational simplicity. Apply eligibility at the highest reasonable scope to reduce assignment count; managing 200 individual resource group eligibilities is operationally painful and prone to error. Prefer management group or subscription eligibility with role-based scoping rather than per-resource-group assignment. For production subscriptions, require approval on activation and short activation windows. For development subscriptions where engineers need frequent access, longer windows without approval may be appropriate, with the explicit acknowledgment that the data sensitivity is lower. Monitor for permanent assignments at the subscription level; these accumulate through application deployment scripts that assign Owner to service principals, and should be reviewed against the principle of least privilege quarterly.

Access Reviews and Drift Control

Eligibility accumulates. An engineer changes teams, a project ends, a contractor leaves, and the eligible assignment persists because no one revoked it. Within 18 months, a tenant that started with clean PIM hygiene will have eligible assignments for users who no longer need them, and the attack surface grows quietly. PIM access reviews are the structural control. Configure quarterly reviews for every privileged role, scoped to the role's eligible members. The review owner should be the manager of the eligible user, not the security team; security teams cannot evaluate need-to-have for hundreds of users, and managers can. For high-privilege roles like Global Admin, add a secondary review by the CISO or designated security lead. Configure auto-revoke on no-response after 14 days; reviewers who do not respond effectively approve continued access, which is the wrong default. Use the PIM review API to extract review results programmatically and feed them into a quarterly access governance report; relying on the portal UI for reporting hides trends. Track the revocation rate per review; healthy reviews should revoke 5 to 15 percent of assignments quarterly. A 0 percent revocation rate means the reviewers are rubber-stamping, not reviewing.

Monitoring PIM Activity in the SIEM

PIM activity produces Entra ID audit log events that must reach your SIEM. The events to monitor include RoleAssignmentActivated, when a user activates an eligible role; RoleAssignmentDeactivated, when activation expires or is explicitly ended; RoleEligibilityCreated, when a user becomes eligible for a role; RoleAssignmentCreated with a permanent assignment, which should be near zero in a mature tenant outside break-glass accounts; and AdminMFAFailed during activation, which indicates either a misconfigured user or active attack against an admin account. Build detections around these events. Alert on any RoleAssignmentCreated to a high-privilege role with a permanent rather than time-bound assignment; investigate immediately. Alert on activation outside of business hours or from unusual geographies. Alert on multiple failed activation attempts followed by a successful one, which can indicate credential compromise with MFA fatigue. Correlate activation events with the user's downstream activity; an admin who activates Global Admin and performs no actions during the window may have been a session takeover target. Include break-glass account sign-ins as a separate high-priority alert with explicit on-call paging; these accounts should sign in essentially never.

Break-Glass Account Design

Break-glass accounts are the failsafe when PIM, Conditional Access, or the tenant itself misbehaves. Configure two of them. Two, because one is a single point of failure and three is operational overkill. Each account is cloud-only, meaning created directly in Entra ID and not synchronized from on-prem AD; on-prem identity issues must not block break-glass access. Each is assigned Global Administrator permanently, the exception that proves the rule, because activation flows might be the thing that is broken. Each is excluded from every Conditional Access policy explicitly, by named user exclusion rather than group exclusion, because group exclusions are easier to misconfigure. Each authenticates with hardware FIDO2 keys only; no passwords, no SMS, no authenticator app. The keys are stored in separate physical locations, ideally a safe in the security office and a safe in a senior leader's home or a secure off-site location, with documented retrieval procedures. Sign-in to break-glass accounts triggers a high-priority alert paging the security on-call, regardless of time of day; legitimate use is exceedingly rare and any sign-in deserves immediate investigation. Test break-glass account sign-in quarterly to verify the keys work and the alerting fires; an untested break-glass account is no break-glass account at all.

The bottom line

PIM transforms the privileged access model in Microsoft cloud from standing assignment to just-in-time activation, and properly configured it reduces the blast radius of credential compromise by orders of magnitude. The configuration choices determine the actual security outcome: MFA on activation, approval workflows, short activation durations, and disciplined access reviews are what make PIM real rather than theatrical.

Pair PIM with break-glass accounts that are tested quarterly, monitoring that surfaces every activation and especially every permanent assignment, and an honest awareness that PIM governs only the Microsoft identity plane. The rest of your privileged estate needs equivalent treatment through a PAM tool. Done together, the privileged access posture becomes defensible against the credential-theft attacks that currently drive most tenant compromises.

Frequently asked questions

Does PIM require an Entra ID P2 license?

Yes, PIM for both Entra ID roles and Azure RBAC requires Entra ID P2 or Microsoft Entra ID Governance licensing for users who are made eligible or who approve activations. The licensing applies per user, not per role; a user eligible for ten roles needs one P2 license. Factor this into the rollout plan; for organizations with many privileged users, P2 licensing is a real budget item but the alternative is permanent assignment and the resulting risk.

Can I require approval from a specific person rather than anyone in a role?

Yes, PIM supports both role-based and user-based approvers. For the highest-impact roles like Global Admin, configure a small set of named approvers, typically two to three senior security or identity leaders, rather than allowing anyone in a privileged role admin group to approve. This prevents collusion and ensures approval is a meaningful gate. Document the approver list and review it whenever those individuals change roles.

What happens if all approvers are unavailable during an emergency?

This is exactly the scenario break-glass accounts exist for. The approval workflow can also be configured with shorter timeout fallbacks, and emergency activation can be granted by a higher-tier approver such as a Privileged Role Administrator. Document the emergency activation procedure explicitly; teams that hit this scenario and have not planned for it will either delay incident response or grant permanent assignments under pressure, both of which are bad outcomes.

Should service principals use PIM?

Generally no. PIM is designed for human identities; service principals should use managed identities or workload identity federation with narrowly scoped permanent role assignments. The just-in-time model adds little value for non-interactive workloads, and the activation flow is human-oriented. The exception is high-privilege service principals for incident response tooling, where eligibility with automated activation through a controlled workflow can reduce standing privilege; this is advanced configuration and should be implemented carefully.

How do I measure PIM effectiveness?

Track four metrics quarterly. First, count of permanent assignments to privileged roles; target is essentially zero outside break-glass accounts. Second, ratio of eligible to active assignments at any given moment; lower is better because it means less standing privilege. Third, average activation duration; trending down indicates analysts are using just-in-time properly rather than activating for the maximum window by default. Fourth, access review revocation rate; a healthy 5 to 15 percent quarterly indicates real review, not rubber-stamping. Report these to leadership alongside the underlying incidents PIM has prevented or contained.

Sources & references

  1. Microsoft Entra PIM Documentation
  2. Microsoft Securing Privileged Access
  3. CISA Microsoft 365 Secure Configuration Baselines
  4. Mandiant Azure Incident Response

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.