Skip to Content
SecurityPrivileged AccessPIM Roles

PIM Roles

Privileged Identity Management (PIM) enables just-in-time privileged access to Azure AD and Azure resources. Admins request temporary elevation rather than having permanent privileged access.

Warning: PIM is an Azure AD Premium P2 feature. Eligible users need P2 licenses assigned to request role activation.

PIM Overview

  • 18 — Roles Configured
  • 45 — Eligible Assignments
  • 7 — Active Now
  • 3 — Pending Approval

Assignment Types

Eligible

User can request activation of the role when needed. Role is not active until user explicitly activates it. Best for privileged roles.

  • Must request activation
  • May require approval
  • Time-limited activation
  • Audit trail of activations

Active

Role is always active for the assigned user. Use sparingly for break-glass accounts or service principals.

  • Always has permissions
  • No activation needed
  • Can be time-bound
  • Use for emergencies only

Role Settings

Configure PIM settings for each role:

Activation Maximum Duration

How long a role stays active after activation (1-24 hours). Shorter durations are more secure.

Require Justification

User must provide reason for activation. Creates audit trail explaining why access was needed.

Require Ticket Information

Require ticket number from ITSM system. Links activation to documented change request.

Require Approval

Designated approvers must approve activation request before role becomes active.

Require MFA

User must complete MFA challenge when activating. Prevents activation from compromised sessions.

Notifications

Send email notifications on assignment, activation, and approval. Keep stakeholders informed of privileged access.

Activation Workflow

  1. Request Activation — User selects role and provides justification and duration.
  2. Complete MFA — If required, user completes multi-factor authentication.
  3. Approval (if required) — Approvers receive notification and approve or deny request.
  4. Role Activated — User has role permissions for the requested duration.
  5. Auto-Deactivation — Role automatically deactivates when duration expires.

Global Administrator (Critical)

  • Max duration: 2 hours
  • Require approval: Yes
  • Require MFA: Yes
  • Require justification: Yes
  • Require ticket: Yes

Exchange Administrator (High)

  • Max duration: 8 hours
  • Require approval: No
  • Require MFA: Yes
  • Require justification: Yes

Helpdesk Administrator (Standard)

  • Max duration: 8 hours
  • Require approval: No
  • Require MFA: Yes
  • Require justification: Optional

Access Reviews

Regularly review PIM assignments to ensure they’re still needed:

  • Schedule recurring reviews (monthly, quarterly)
  • Reviewer verifies each assignment is still required
  • Auto-remove assignments not confirmed
  • Require justification for continued access

Audit & Reporting

Track all PIM activity:

  • Role activations with timestamps and duration
  • Approval actions (approved, denied, timed out)
  • Assignment changes (added, removed, expired)
  • Setting changes
  • Export to SIEM for correlation

API Reference

  • GET /api/security/pim/roles — List PIM-enabled roles
  • GET /api/security/pim/roles/:roleId/assignments — List role assignments
  • POST /api/security/pim/roles/:roleId/activate — Activate role for user
  • GET /api/security/pim/pending-approvals — List pending approval requests
  • POST /api/security/pim/approvals/:id — Approve or deny request
Last updated on
Access ReviewsEntitlements Management