Systems Admin

Configuring and Activating Roles via Entra Privileged Identity Management (PIM)

7 min read Part of pathway: Microsoft Entra ID Security

Privileged Identity Management (PIM) flips the assumption about admin access. Instead of “users with admin roles always have admin powers”, it’s “users are eligible for admin roles, and must activate them when they need them, with MFA + justification, for a bounded time window.” The credential to compromise is no longer “admin password” — it’s “admin password + MFA + reason + within an 8-hour window.” That’s the entire point of just-in-time admin access.

This guide walks Security Reader as a worked example, but the same configure-then-assign-then-activate flow applies to every Entra role you protect with PIM — Global Admin, User Admin, Helpdesk Admin, etc.

Phase 1 — verify the test user has no roles

Entra admin center sign-in page where the test user pimuser is being authenticated to confirm the starting state
Phase 1: sign in as the test user pimuser@…onmicrosoft.com at entra.microsoft.com.

Sign in to entra.microsoft.com as the test user (pimuser@…onmicrosoft.com).

Entra portal search bar with Privileged Identity Management typed and the matching service result highlighted
Search bar > Privileged Identity Management > click the matching service.

Top search bar > Privileged Identity Management > click the service.

PIM My roles Microsoft Entra roles tab showing the test user has zero roles assigned at this point
My roles > Microsoft Entra roles. Empty state confirmed — user has no admin powers right now.

My roles > Microsoft Entra roles. Confirm the user has zero roles. This is our baseline.

Phase 2 — admin: configure role settings BEFORE anyone gets assigned

Critical sequencing: configure the role’s activation rules before assigning the role to anyone. If you assign first then change settings, existing assignments inherit the new rules — better to set the floor first.

Entra admin center as Global Admin opening the Privileged Identity Management service from the search bar
Phase 2 (admin task): sign in as Global Admin in a separate browser window. PIM > Microsoft Entra roles.

Open a separate browser as Global Admin. Open PIM > Microsoft Entra roles.

PIM Microsoft Entra roles dashboard from the Global Admin perspective showing role count and overview tiles
PIM dashboard from the admin perspective — this is where you configure role settings before assigning anyone.

Dashboard view from the admin perspective.

PIM Settings list with Security Reader role being selected from the alphabetical role list to configure
Manage > Settings > click Security Reader (read-only access to security policies/alerts/audit logs).

Manage > Settings > click Security Reader.

(Security Reader = read-only on security policies, alerts, reports, audit logs. Useful as a low-blast-radius role to learn PIM. Production: assign the actual role your user needs.)

Edit role settings Activation tab with maximum activation duration slider set to 8 hours and MFA option visible
Edit > Activation tab > max duration 8 hours. Once set, no end-user can request more.

Click Edit > Activation tab.

  • Maximum activation duration: 8 hours — the longest a single activation can run before auto-expiry. Set it to the shortest window your operations actually need; users can re-activate.
  • Tick Require Azure MFA on activation — even if the user already MFA’d at login, they re-prove identity at the moment of elevation.
  • Tick Require justification on activation — user must type a reason. Becomes searchable in the audit log.
Activation tab with Require Azure MFA on activation and Require justification on activation checkboxes both ticked
Same tab > tick Require Azure MFA on activation and Require justification on activation.

Both checkboxes ticked.

Assignment tab showing Allow permanent eligible assignment checked and Allow permanent active assignment unchecked
Assignment tab. Tick Allow permanent eligible assignment. Untick Allow permanent active assignment — we never want a user to have admin powers permanently turned on.

Assignment tab:

  • Tick Allow permanent eligible assignment — users can be permanently eligible (the role is always available to them, but powers are off until they activate).
  • Untick Allow permanent active assignment — this is the load-bearing change. With this off, you can never accidentally grant someone “always-on admin.” Every active assignment must have an end date.
Notification tab showing default notification settings preserved and Update button being clicked to save changes
Notification tab > keep defaults > Update. Notifications email Global Admins on assignment + activation — audit trail.

Notification tab > defaults > Update.

Defaults email Global Admins + Privileged Role Admins on assignment + activation. Don’t turn this off — it’s your real-time alert for “someone just elevated privileges.” Helpdesk operations sometimes filter these to a Teams channel for visibility.

Phase 3 — admin: assign the eligible role

PIM Manage section Roles list with Security Reader being selected to add a new assignment for a test user
Phase 3: PIM > Manage > Roles > Security Reader.

PIM > Manage > Roles > Security Reader.

Add assignments page Membership step with the link to select members highlighted at the top
+ Add assignments.

+ Add assignments.

Select a member dialog with pimuser typed into the search field and the matching account selected from results
Select members > search pimuser > pick > Next.

Click the link to select members > search pimuser > pick > Next.

Assignment settings step with Eligible chosen as the assignment type and Permanently eligible checkbox ticked
Assignment type: Eligible. Tick Permanently eligible. Assign.

Assignment type: Eligible. Tick Permanently eligible. Assign.

“Eligible” = the user has the right to use the role but must activate it (just-in-time). “Active” would mean the role is always on — we explicitly avoid that pattern.

Assignments tab now showing pimuser listed against Security Reader role with Eligible state confirmed
Assignments tab confirms pimuser is now Eligible for Security Reader.

Assignments tab now shows pimuser as Eligible for Security Reader.

Outlook inbox showing the automated PIM notification email sent to Global Admins after the new role assignment
Auto-email lands in the Global Admin inbox the moment the assignment is created — the audit trail starts here.

The first auto-email arrives in the Global Admin inbox. This is your audit trail starting — you didn’t have to enable anything for this email to send. PIM did it automatically.

Phase 4 — user: activate the role

PIM My roles refreshed view from the test user perspective showing Security Reader available with the Activate link
Phase 4 (test user): refresh My roles > Microsoft Entra roles > Security Reader appears with Activate.

Switch back to the test-user browser. Refresh My roles > Microsoft Entra roles. Security Reader is now listed with an Activate link.

Activation pane sliding out with the duration slider capped at 8 hours and Reason text box visible for justification
Activation pane: duration slider capped at 8h (the admin’s hardcoded ceiling). Type a reason e.g. “Reviewing sign-in logs for audit”.

Click Activate. Pane slides in:

  • Duration slider: capped at 8 hours (the admin set this in Phase 2)
  • Reason: type something specific — “Reviewing sign-in logs for compliance audit, ticket #INC1234”. This goes in the audit log.
  • If MFA is required (it is, per Phase 2): MFA prompt fires now

Click Activate.

Activation processing dialog with Validating Activating and other stages showing progress through the workflow
Three-stage progress: Validating → Activating → Refreshing. Browser auto-reloads with the new permissions.

Three-stage progress: Validating → Activating → Refreshing. The browser auto-refreshes once permissions land.

Second automated PIM notification email arriving in the Global Admin inbox stating the user actively elevated privileges
Second auto-email lands in the Global Admin inbox: user has actively elevated privileges. Two emails per session: assignment + activation.

Second auto-email arrives in the Global Admin inbox: user has actively elevated. So far in this session: 2 emails. One on assignment, one on activation. If the user activates 4 times in a week, that’s 4 more emails.

Phase 5 — remove or update the role when done

PIM Manage Assignments page showing the active eligible assignment with Update and Remove options on the right side
Phase 5: PIM > Manage > Assignments. Use Update (change type / expiry) or Remove (strip the role) when the project ends.

PIM > Manage > Assignments > find pimuser. Right-side options:

  • Update — change assignment type (Eligible ↔ Active), change expiry date
  • Remove — strip the role entirely

Project finishes → remove the assignment. Don’t leave dormant Eligible assignments around — they’re still attack surface.

Things that bite people

Why the test user got an MFA prompt at login (not just at activation)

You disabled Security Defaults. You have no Conditional Access policy enforcing MFA. You only configured PIM to require MFA at activation. So why did the user MFA at the front door of entra.microsoft.com?

Because Microsoft introduced mandatory MFA for sensitive admin portals — entra.microsoft.com, portal.azure.com, intune.microsoft.com. This is enforced by Microsoft tenant-wide and cannot be turned off. The MFA at activation is then a second challenge — defending against the “user walked away from an unlocked computer” scenario where an attacker would otherwise just click Activate.

The 3 automatic expiry emails

For Eligible assignments with an end date, PIM sends three emails automatically:

  1. 14 days before — gives the user time to ask for renewal
  2. 1 day before — final last-call
  3. On expiry — confirms removal to admins (audit completion)

You don’t configure any of this — PIM just does it. Don’t turn off the notification settings or you blind yourself to the lifecycle.

Forgot to untick “permanent active assignment”

If you leave that checkbox on (default behavior) and someone assigns Active + Permanent, the user has admin powers 24/7 with no expiry, no MFA-on-activation, no justification. Defeats the entire point of PIM. Always untick this in Phase 2 settings.

P2 license required

PIM requires Entra ID P2 (or EMS E5 / Microsoft 365 E5). It is not in P1 or Free. Without P2, you only have permanent role assignments. Worth budgeting for if you have any admin accounts.

Activation duration too short

If you set max duration too low (e.g. 1 hour), users will activate, lose access mid-task, re-activate, lose access again. Strikes a bad UX-vs-security balance — helpdesk gets pushback. 8 hours is the practical default for daily admin work; 4 hours for sensitive-role like Global Admin.

What’s next

Configure-then-activate is the foundation. The next post in the Entra ID Security pathway covers the lifecycle operations on top: assigning, activating, approving, rejecting, and renewing PIM requests from the admin side, including the approval-required flow for the highest-privilege roles.

Tags: #Admin Roles #Just In Time #Microsoft Entra ID #PIM #Privileged Identity Management

Leave a Reply