O365 Admin

How to Enable Privileged Identity Management (PIM)

Published 21 October 2025 · 8 min read

Privileged Identity Management (PIM) in Entra ID gives users just-in-time access to admin roles rather than permanently assigning them. Instead of being a Global Admin all the time, a user activates the role for a defined period when needed, with MFA and optional approval. This reduces the attack surface of privileged accounts significantly.

Contents
  1. How PIM works
  2. Prerequisites
  3. Enable PIM
  4. Assign eligible roles
  5. Configure role settings
  6. Activating a role as a user
  7. Monitoring and audit

How PIM works

Without PIM, admin roles are permanently assigned. With PIM, roles are eligible rather than active. To use an admin role, the user must activate it - providing MFA, a justification, and waiting for approval if required. The role is active for a configurable time then expires automatically.

Zero standing privilege
The ideal state is no permanently active admin roles at all - every admin accesses elevated permissions on demand, with a full audit trail.

Prerequisites

Enable PIM

Entra ID portal → Identity Governance → Privileged Identity Management → Consent to PIM

PIM must be enabled once per tenant. You will be prompted to verify your identity and consent.

Assign eligible roles

PIM → Entra roles → Assignments → + Add assignments
  1. Select the role (e.g. Global Administrator)
  2. Select the members to make eligible
  3. Set assignment type to Eligible (not Active)
  4. Set an end date or leave as permanent eligibility

Configure role settings

PIM → Entra roles → select role → Settings → Edit
⚙️
Recommended settings for Global Administrator
Activation maximum durationShort windows reduce exposure
1 hour
Require justification on activationCreates accountability and audit trail
Yes
Require MFA on activation
Yes
Require approval to activateRequire a second admin to approve
Yes (for GA)
Send notifications
Yes

Activating a role as a user

Users visit aka.ms/pim, click My roles, find the eligible role, and click Activate. They provide MFA and a justification. If approval is required, they wait before access is granted.

Monitoring and audit

PIM → Entra roles → Audit resource

PIM logs every activation - who, when, for how long, and the justification. This integrates with Microsoft Sentinel for SIEM ingestion.

Frequently Asked Questions

Q: What licence does PIM require?

PIM requires Entra ID P2. This is included in Microsoft 365 E5 or available as an add-on. It is not included in Business Premium, E1, or E3.

Q: Can I still have permanently active admin accounts with PIM?

Yes. Keep 2 break-glass emergency accounts as permanently active Global Admins and make all other admin assignments eligible.

Q: What are break-glass accounts?

Break-glass accounts are emergency Global Admin accounts not enrolled in MFA and excluded from Conditional Access policies. Used only if PIM or MFA is unavailable.

Related Guides
-> Conditional Access-> Set Up SSPR-> Why MFA Matters
// need intune set up properly?
Fixed-price Intune setup for UK businesses

App deployment, compliance policies, Conditional Access, and full documentation at a fixed price.

View Packages