How to Configure Microsoft Entra Privileged Identity Management (PIM)

Administrators need access to the organization so they can perform their tasks. However, you want to manage, control, and monitor their privileged access. That’s when Microsoft Entra PIM comes into the picture. In this article, you will learn how to configure Microsoft Entra Privileged Identity Management (PIM).

Table of contents

What is Microsoft Entra Privileged Identity Management?

Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization. These resources include Microsoft Entra ID, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.

It provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:

  • Provide just-in-time privileged access to Microsoft Entra ID and Azure resources
  • Assign time-bound access to resources using start and end dates
  • Require approval to activate privileged roles
  • Enforce multifactor authentication to activate any role
  • Use justification to understand why users activate
  • Get notifications when privileged roles are activated
  • Conduct access reviews to ensure users still need roles
  • Download audit history for internal or external audit
  • Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments

Note: You need Microsoft Entra ID P2 to use the Privileged Identity Management feature in Microsoft Entra ID.

Set up Microsoft Entra Privileged Identity Management

Let’s look at how to assign a role, edit the role settings, and activate the role using PIM by signing in as a user.

1. Assign role

To assign users or current admins as eligible admins for specific Microsoft Entra roles, follow these steps:

  1. Sign in to Microsoft Entra admin center
  2. Expand Identity governance > Privileged Identity Management
  3. Click on Microsoft Entra roles
Microsoft Entra roles
  1. Click on Roles
Privileged Identity Management roles
  1. Click Add assignments
Add roles assignments
  1. Select a role that you want to assign to the member or the group
  2. Select the member
  3. Click Next
Membership assignments
  1. Click Assign
Assignments setting

The Microsoft Entra role is successfully assigned to the user. In the next step, we will look into the role settings.

2. Edit role settings

To configure the Microsoft Entra role setting in Privileged Identity Management, follow the below steps:

  1. Search for the role that you added the member to
  2. Select the role
Search for PIM role
  1. Click Role settings
PIM role settings
  1. Click on Edit
PIM role settings
  1. Go through the activation settings and adjust where needed
  2. Click Next: Assignment
Role setting activation
  1. Go through the assignment settings and adjust where needed
  2. Click Next: Notification
Role setting assignment
  1. Go through the notification settings and adjust where needed
  2. Click Update
Role setting notification

Now that you have assigned the role to the member and checked the role settings, let’s look at the next step to activate the role with the user account.

3. Activate role

To activate the eligible admin roles using PIM in Microsoft Entra, follow these steps:

  1. Sign in to Microsoft Entra admin center or access the Privileged Identity Management (PIM) blade directly
  2. Click My roles

Note: We recommend to Restrict access to the Microsoft Entra admin center. The users will still be able to access the PIM blade to manage their privileged access.

My roles in Privileged Identity Management
  1. Select Activate
Activate Microsoft Entra role in Privileged Identity Management
  1. If you have not set up MFA, you cannot proceed further, and you will see a notification bar with the warning that additional verification is required
  2. Click Continue
Additional verification required
  1. Complete the MFA setup and click Done
  2. You will be automatically redirected to the PIM activate screen
Set up MFA for user account
  1. Fill in a reason
  2. Click Activate
Activate role in Privileged Identity Management
  1. It will process the request and activate the role
Privileged Identity Management stage 1
  1. The browser will automatically refresh when the activation is complete
PIM activation stages
  1. Click on the notification bar to switch to the active assignments list
Active assignments have changed
  1. Verify that the state shows Activated and that the End time appears correctly
Privileged Identity Management active assignments

That’s it!

Read more: Export Entra ID app registrations Certificates and Secrets expiry report »

Conclusion

You learned how to configure Microsoft Entra Privileged Identity Management (PIM). Don’t add roles to the users in the old-fashioned way. But give users just-in-time privileged access to Microsoft Entra ID and Azure resources using PIM instead. It’s an excellent feature to manage, control, and monitor access to important resources in the organization. Remember that you need a Microsoft Entra ID P2 license to use this feature.

Did you enjoy this article? You may also like Get MFA status in Microsoft Entra and PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *