Skip to Content
SecurityPrivileged AccessPIM Requests

PIM Requests

Review and manage Privileged Identity Management (PIM) role activation requests. Approve or deny requests for just-in-time privileged access to Azure AD and Azure resource roles.

Warning: PIM requires Azure AD Premium P2 licensing. Approval workflows are configured per-role in PIM role settings.

Request Overview

  • 5 — Pending Approval
  • 23 — Approved (7 days)
  • 2 — Denied (7 days)
  • 1 — Expired

Pending Requests

ColumnDescription
RequestorUser requesting role activation
RoleDirectory or resource role requested
ScopeDirectory-wide or specific resource
DurationRequested activation duration
JustificationReason provided by requestor
TicketITSM ticket number (if required)
RequestedWhen request was submitted
ExpiresRequest auto-expires if not actioned

Request Workflow

  1. User Requests Activation — Eligible user submits activation request with justification.
  2. Approvers Notified — Designated approvers receive email notification.
  3. Review Request — Approver reviews justification, ticket, and user context.
  4. Approve or Deny — Approver takes action with optional comments.
  5. Role Activated (if approved) — User gets role permissions for requested duration.

Approving Requests

Before Approving

  • Verify the requestor is who they claim to be
  • Review the justification for legitimacy
  • Check if ticket number matches an actual change request
  • Consider if the requested duration is appropriate
  • Verify the role is needed for the stated task

Approval Options

Approve — Grant the requested role for the specified duration. Add optional approval comments.

Deny — Reject the request. Provide reason so requestor understands why and can resubmit if appropriate.

Request Status

  • Pending — Awaiting approver action
  • Approved — Request approved, role activated
  • Denied — Request rejected by approver
  • Expired — Request not actioned within timeout period
  • Canceled — Request withdrawn by requestor

Request History

View historical requests for audit and compliance:

My Requests

Your own activation requests with status and history. See when roles were activated and deactivated.

Requests I Approved

Requests you took action on. Includes approval date, requestor, and any comments provided.

High-Risk Roles

Exercise extra caution when approving these privileged roles:

Global Administrator (Critical)

Full control over all Microsoft 365 services. Requires strongest justification.

Privileged Role Administrator (Critical)

Can manage PIM itself and assign any role to anyone.

Exchange Administrator (High)

Access to all mailboxes and email data. Data exfiltration risk.

SharePoint Administrator (High)

Access to all SharePoint/OneDrive content. Data exposure risk.

Best Practices

  • Require ticket numbers — Link activations to documented change requests for audit trail.
  • Review justifications carefully — Vague justifications like “need admin access” warrant follow-up questions.
  • Approve minimum duration needed — Don’t approve 8 hours if 2 hours is sufficient for the task.
  • Have multiple approvers — Ensure backup approvers for time-sensitive requests and coverage.

API Reference

  • GET /api/security/pim/pending-approvals — List pending approval requests
  • POST /api/security/pim/approvals/:id/approve — Approve request
  • POST /api/security/pim/approvals/:id/deny — Deny request
  • GET /api/security/pim/requests/history — Get request history
  • GET /api/security/pim/my-requests — Get user’s own requests
Last updated on
Entitlements ManagementSecure Score