Exploring Microsoft Entra ID Privileged Identity Management (PIM) Part-1/3 (Microsoft Entra Roles)


Microsoft Entra ID PIM
In today's complex digital landscape, managing access to critical resources is more important than ever. Privileged Identity Management (PIM) is a key service in Microsoft Entra ID designed to help organizations effectively manage, control, and monitor privileged access to important resources. These resources can include assets within Microsoft Entra ID itself, Azure, and other Microsoft services like Microsoft 365 or Microsoft Intune

Why Privileged Access Needs Management

Organizations strive to minimize the number of people with access to sensitive information and resources. By reducing access, you lower the risk of:
  • Malicious actors gaining unauthorized access to critical resources.
  • Users inadvertently impacting sensitive resources, either through accidental misconfiguration or other unforeseen issues.

Despite the desire to limit access, privileged operations still need to be carried out regularly in Microsoft Entra ID, Azure, Microsoft 365, and other SaaS applications. With Microsoft Entra ID PIM, organizations can provide users with just-in-time (JIT) privileged access to Azure and Microsoft Entra resources. This approach ensures that users only have elevated access when needed, and organizations can closely monitor their activity.

Licensing Requirements for PIM

PIM is available as part of the following license tiers:
  • Microsoft Entra ID P2
  • Microsoft Entra ID Governance
  • Microsoft Entra Suite
To get PIM functionality The Above mentioned licenses should be assigned for the following categories of users:
  • Users with eligible and/or time-bound assignments to Microsoft Entra ID or Azure roles managed via PIM.
  • Users with eligible/time-bound assignments as members or owners of PIM for Groups.
  • Users who are approvers for activation requests in PIM.
  • Users assigned to or who perform access reviews.

These licenses enable organizations to leverage the full suite of capabilities that PIM offers to control access to sensitive resources.

Impact When a License Expires

If a Microsoft Entra ID P2,Microsoft Entra SuiteMicrosoft Entra ID Governance, or trial license expires, key PIM functionalities will no longer be available:
  • Permanent role assignments remain unaffected.
  • The PIM service in the Microsoft Entra admin center, including Graph API cmdlets and PowerShell interfaces, will be unavailable for activating privileged roles or managing access.
  • Eligible role assignments for Microsoft Entra roles will be removed, and users will no longer be able to activate privileged roles.
  • Ongoing access reviews of Microsoft Entra roles will end, and the configuration settings for PIM will be cleared.
  • Email notifications on role assignment changes will stop.

Key Features of Microsoft Entra PIM

Privileged Identity Management offers several key features that help mitigate risks associated with excessive, unnecessary, or misused access permissions. Some of the most notable capabilities include:

Just-in-time privileged access: Users only receive access to critical resources when they actually need it, helping to reduce overexposure to sensitive data.

Time-bound access assignments: Admins can set specific start and end dates for access to resources, ensuring that elevated permissions aren't left open indefinitely.

Approval-based role activation: Role activations can be subject to approval processes to ensure access is granted with the proper oversight.

Multifactor authentication (MFA) enforcement: To activate any privileged role, MFA can be enforced, adding an extra layer of security.

Justification for role activation: Users are required to provide a reason for activating their roles, adding context and accountability to the process.

Notifications for role activation: Admins are notified when roles are activated, allowing for real-time monitoring.

Access reviews: Regular reviews of privileged access roles ensure that users still require the roles they have.

Audit history downloads: Audit logs are available for internal and external reviews, providing transparency and traceability.

Prevention of role removal: PIM ensures that the last active Global Administrator or Privileged Role Administrator can't be removed accidentally, preventing organizations from locking themselves out of critical functions.

Managing PIM in Microsoft Entra ID

To manage PIM, you can access the Entra ID Admin portal, navigate to the Identity Governance blade, and select Privileged Identity Management. Alternatively, you can visit Azure Portal , use the search box, and search for Microsoft Entra Privileged Identity Management.
Entra ID Privileged Identity Management
Once PIM is set up in Microsoft Entra ID, administrators can navigate the Tasks, Manage, and Activity sections on the left-hand side of the interface. These sections provide clear options for managing privileged access roles and overseeing activity.

Microsoft Entra Roles: In the context of PIM, only users with the Privileged Role Administrator or Global Administrator roles can manage assignments for other administrators. Additionally, roles like Global Administrators, Security Administrators, Global Readers, and Security Readers have viewing capabilities for assignments to Microsoft Entra roles.
  
Azure Resource Roles: Managing Azure resource roles through PIM requires elevated permissions like Subscription Administrator, Resource Owner, or User Access Administrator. However, roles like Privileged Role Administrators and Security Administrators don't automatically have access to manage or view these assignments.

Microsoft Entra ID PIM for Groups:

Microsoft Entra ID allows you to grant users just-in-time membership and ownership of groups through Privileged Identity Management (PIM) for Groups. These groups can control access to various scenarios, such as:

  • Microsoft Entra roles
  • Azure roles
  • Azure SQL
  • Azure Key Vault
  • Intune
  • Other application roles
  • Third-party applications

PIM for Groups is part of Microsoft Entra PIM, alongside PIM for Microsoft Entra roles and PIM for Azure resources.

Key Features of PIM for Groups

With PIM for Groups, you can apply policies similar to those used for Entra roles and Azure resources. Some key policies include:

  • Approval requirement for membership or ownership activation
  • Multifactor authentication (MFA) enforcement
  • Justification requirement for activation
  • Maximum activation time limit

Each group has two policies: one for membership activation and another for ownership activation.

Role-Assignable vs. Non-Role-Assignable Groups

  • Role-Assignable Groups: Only Global Administrators, Privileged Role Administrators, or group Owners can manage the group. Users in these groups have extra protection, such as preventing unauthorized privilege elevation.
  • Non-Role-Assignable Groups: Various administrators, including Exchange Administrators, Groups Administrators, and User Administrators, can manage the group. These groups have fewer protections compared to role-assignable groups.

Important Considerations

  • Any Microsoft Entra security group or Microsoft 365 group (excluding dynamic groups and on-premises synced groups) can be enabled for PIM for Groups.
  • Groups do not need to be role-assignable for PIM activation, but role-assignable groups provide enhanced security.

Group Assignments and Role Activation

To make a group of users eligible for a Microsoft Entra role, you can:

  1. Assign users to the group as active members, then assign the group as eligible for role activation.
  2. Assign the role to a group and make users eligible for group membership.

For critical roles like Exchange Administrator, ensure active assignments of users to the group and assign the group as eligible for activation. This ensures timely access to role privileges.

Best Practices for PIM for Groups

  • Use an approval process for eligible member assignments, especially for groups used for elevating into Microsoft Entra roles.(For instance, a Helpdesk Administrator has the ability to reset the passwords of eligible users.)
  • Ensure that non-role-assignable groups have limited privileged access to avoid potential security risks.

Group Provisioning Timelines

  • Without PIM Activation: Group membership is synced to the application during the next cycle (every 40 minutes, using SCIM).
  • With PIM Activation: Group membership is provisioned in 2-10 minutes. For high-traffic scenarios, only five requests can be processed every 10 seconds; additional requests will follow the standard 40-minute sync cycle.

If users face issues accessing the necessary group in the target application, review the PIM logs and provisioning logs to verify group membership updates.


Setting Up PIM for Microsoft Entra ID Role

In the following steps, I will guide you through the process of setting up PIM for Entra ID roles. In this example, I will be assigning the Global Administrator role to one of my user accounts. You can follow these same steps to assign other Entra ID roles to users as well.

Open the Entra ID portal, navigate to the Identity Governance blade, and select Privileged Identity Management. Alternatively, you can go to Roles & Administrators, and choose the specific role to which you want to add members.
PIM Dashboard

After selecting Microsoft Entra Roles, the Privileged Identity Management page for Microsoft Entra Roles will open for the respective tenant. You will then see the Quick Start menu, as shown in the screenshot below.
Entra ID Roles PIM

In the Overview tab, you can view details such as role activations in the past 7 days, role assignment distribution, PIM activities from the last 30 days, roles by assignment, alerts, and more, as shown in the screenshot below.
PIM Overview dashboard

In the My Roles section under Tasks, you can view the eligible, active, and expired assignments for any roles available to your account.

Entra ID PIM My Roles

In Pending Requests, as a Global Administrator or Privileged Role Administrator, you can view activation requests that are awaiting approval. You also have the ability to review and cancel these requests if necessary.
Entra PIM Pending Requests

Approve Requests is where you'll find any requests awaiting your approval(Including Requests to renew or extend role assignments). If approval options are enabled for role activation and no specific approvers are designated, Privileged Role Administrators or Global Administrators will automatically be assigned as the default approvers.
Additionally, Privileged Role Administrators or Global Administrators will not be able to see any approval requests that have already been assigned to other designated approvers.

Entra PIM Approve Requests

In the Review Access tab, any Entra ID roles that require review will be displayed here. We will cover these settings in detail when configuring the access reviews.
Entra ID Roles Access Review

In the Roles section, you can view all the Entra ID roles along with the number of assignments. From this section, you can select the desired role and assign it to the required users, groups, or service principals. You can do this by either selecting the role directly or using the "Add Assignments" option from the top menu. The same actions can be performed through the Roles & Admins section in the Entra Portal.

Entra ID Roles

Let's assign the Global Reader role to a regular user account and explore how to enable role activation for this user through Privileged Identity Management (PIM).

Locate the Global Reader role and select it.
Global Reader Entra ID role
After opening the Global Reader option, you will be directed to the Assignments page. From there, select Add assignments to add users to the Global Reader role.

Entra ID Role Assignments

On the Add Assignments page, you will see the Tenant Name under Resource, with Directory as the resource type. Global Reader as selected  role, set the Scope type to Directory, and choose the specific user for the role. Once the user is selected, click Next.
Entra ID Role User Assignments

Under Settings Tab you will see some options:

Eligible (Type)

This refers to a role assignment that requires the user to perform certain actions before they can use the role. While an eligible user doesn't have continuous access, they can activate the role whenever they need it for privileged tasks. The level of access is the same as someone with a permanent role, but they only get it when necessary.

Active (Type)

An active role assignment doesn’t require any action from the user to access the role. Once assigned, they have the privileges continuously and can use the role without needing to activate it.

Role Assignment Durations
  • Permanent Eligible: A user is always eligible to activate the role when needed.
  • Permanent Active: A user has ongoing access to the role without needing to activate it.
  • Time-Bound Eligible: A user is only eligible to activate the role during specified start and end dates.
Entra ID PIM Role Assignment settings

When selecting an active assignment, you'll need to provide a justification for this type of assignment. This option can be reconfigured in the Role Settings tab, which we will review in the upcoming steps.

Active Assignment with justification option you seen in the below screenshot 
PIM Active Assignment with Justification

Once the settings are configured as needed, select Assign to finalize the user role assignment. In this example, we are proceeding with the Eligible option. After the assignment is successfully completed, the assigned user will appear under the Eligible tab in the Role Assignments section.
Once User Activate the Role User will appear under Active Assignment for the time duration he activates that role.
PIM Eligible Assignments

To configure the role settings, navigate to the Role Settings tab. From there, you can edit various options such as Role Activation Settings, Assignment Settings, and Notification Settings.

Entra Role Settings

Activation Maximum Duration:
Use the Activation Maximum Duration slider to define how long, in hours, a role assignment activation request remains valid before expiring. The duration can range from 30 minutes to 24 hours.

Require Multifactor Authentication Upon Activation:
You can mandate that users eligible for a role verify their identity using multifactor authentication (MFA) in Microsoft Entra ID before activating their role. MFA provides an added security layer by requiring a second form of verification, enhancing protection for data and applications.

Note: Users may not be prompted for MFA if they have already authenticated with strong credentials or completed MFA earlier in their session.

On Activation, Require Microsoft Entra Conditional Access Authentication Context:

You can enforce that eligible role users meet Conditional Access policy criteria. For example, users might be required to authenticate with specific methods enforced by Authentication Strengths, activate their role from an Intune-compliant device, or adhere to terms of use.

To ensure MFA during activation, you can use the On activation, require Microsoft Entra Conditional Access authentication context feature in conjunction with Authentication Strengths. These options enforce authentication during activation, using a method different from the one used for signing into the device.

For instance, if a user logs in using Windows Hello for Business, you can configure this setting to require passwordless sign-in via Microsoft Authenticator for role activation. After completing this passwordless sign-in once, the user won't need to authenticate again for subsequent activations within the same session, as the sign-in is already part of their authentication token.

Require Justification Upon Activation:

You can configure the system to ask users for a business justification when activating an eligible assignment.

Require Ticket Information Upon Activation
You can ask users to provide a support ticket number when they activate an eligible assignment. This field is informational, and there is no enforced integration with any ticketing systems.

Require Approval to Activate
You can require approval for activating an eligible assignment. Approvers do not need to hold specific roles. However, you must select at least one approver, and it's recommended to select at least two. If no approvers are specified, the Privileged Role Administrator or Global Administrators will act as the default approvers.

Below image shows the config: You can customize these settings based on your need.

PIM Activation Settings


Assignment Duration:

When configuring role settings, you can select two assignment duration options for each assignment type: eligible and active. These options set the default maximum duration when a user is assigned a role in Privileged Identity Management.

Allow Permanent Eligible Assignment:
Resource administrators can assign eligible roles permanently, without an expiration.

Expire Eligible Assignment After:
Resource administrators can require eligible assignments to have specific start and end dates.

Allow Permanent Active Assignment:
Resource administrators can assign active roles permanently, without an expiration.

Expire Active Assignment After:
Resource administrators can require active assignments to have a defined start and end date.
All assignments with a specified end date can be renewed by Global Administrators and Privileged Role Administrators. Additionally, users can submit self-service requests to extend or renew their role assignments.

Require Multifactor Authentication on Active Assignment:
You can enforce that administrators use multifactor authentication (MFA) when creating an active assignment (as opposed to an eligible assignment). However, Privileged Identity Management cannot enforce MFA when the user operates within their active role since the role is already assigned.

Administrators may not be prompted for MFA if they have already authenticated using strong credentials or completed MFA earlier in the session.

Require Justification on Active Assignment:
You can require users to provide a business justification when creating an active assignment.(Same we saw earlier when we tried to add user to Active assignment)

Below image shows the config: You can customize these settings based on your need.

PIM Role Assignment settings

The duration for Eligible and Active assignments can be configured to 15 days, 1 month, 3 months, 6 months, or 1 year.

Notifications: tab of the Role Settings page in Privileged Identity Management (PIM), you have detailed control over who receives notifications and which notifications are sent. The options include:

Turning Off an Email: You can disable specific emails by unchecking the default recipient box and removing any other listed recipients.

Limit Emails to Specified Addresses: If you prefer not to send emails to default recipients, you can clear the checkbox and add your own recipients. To include multiple email addresses, separate them with a semicolon (;).

Send Emails to Both Default and Additional Recipients: You can send notifications to both default recipients and additional ones. To do this, select the default recipient checkbox and enter any extra email addresses.

Critical Emails Only: For each type of email, you can choose to receive only critical notifications by selecting the appropriate checkbox. With this setting, PIM sends emails only when immediate action is required. For instance, emails about extending role assignments are skipped, but emails requiring an administrator to approve an extension request are still sent.

Note:
Each event in Privileged Identity Management can trigger email notifications for multiple recipients, including assignees, approvers, and administrators. However, a maximum of 1,000 notifications can be sent per event. If the recipient list exceeds 1,000, only the first 1,000 recipients will receive an email, but this won't affect other assignees, administrators, or approvers from utilizing their permissions in Microsoft Entra ID and PIM.

Below image shows the default config: You can customize these settings based on your need.

PIM Entra ID Roles Notification settings


The Assignments tab in the PIM console displays the number of roles along with their Eligible, Active, and Expired statuses. As a Global Administrator or Privileged Role Administrator, you can manage these assignments directly from this tab.

Entra ID PIM Assignments

Alerts: Privileged Identity Management (PIM) generates alerts whenever suspicious or unsafe activities are detected within your organization in Microsoft Entra ID. These alerts are displayed on the PIM dashboard, and you can select an alert to view a detailed report that identifies the users or roles responsible for triggering it.

Security Alerts

This section lists all security alerts for Microsoft Entra roles, along with steps to resolve and prevent them. The severity of alerts is categorized as follows:

  • High: Indicates a critical policy violation that requires immediate attention.
  • Medium: Signals a potential policy violation but does not require immediate action.
  • Low: Suggests a preferable policy change but does not require urgent action.

Only users with the following roles can view PIM security alerts for Microsoft Entra roles:

  • Global Administrator
  • Privileged Role Administrator
  • Global Reader
  • Security Administrator
  • Security Reader

Available Alerts:

  • Roles don't require multi-factor authentication for activation: Some roles are not enforcing multi-factor authentication (MFA) when activated.
  • Eligible administrators aren't activating their privileged role: Administrators eligible for roles are not activating them when required.
  • Roles are being assigned outside of Privileged Identity Management: Roles are being assigned through means other than PIM.
  • Potential stale accounts in a privileged role: There may be inactive or unnecessary accounts holding privileged roles.
  • The organization doesn't have Azure AD Premium P2: Your organization is missing the Azure AD Premium P2 license, which offers enhanced security features.
  • Roles are being activated too frequently: Some roles are being activated more often than expected, which may indicate misuse.
  • There are too many global administrators: The organization has an excessive number of global administrators, which can increase security risks.

Entra ID PIM Alert

In the Alerts tab, open the Settings menu to customize the alert policies or enable/disable specific alerts.

Entra ID PIM Alert Settings

Some of the Alert Settings Example Below.

Potential stale accounts in a privileged role
Potential stale accounts in a privileged role

Roles are being activated too frequently
Roles are being activated too frequently

Access Reviews: As your organization's need for access to privileged Azure resources and Microsoft Entra roles evolves over time, it’s important to regularly review and manage these assignments to mitigate risks associated with stale role assignments. Microsoft Entra Privileged Identity Management (PIM) allows you to set up access reviews for privileged access to both Azure resources and Microsoft Entra roles. Additionally, you can automate the process by configuring recurring access reviews.

To create access reviews for Azure resources, you must have the Owner or User Access Administrator role for those resources. For Microsoft Entra roles, you need at least the Privileged Role Administrator role.

If you're using access reviews for service principals, it requires a Microsoft Entra Workload ID Premium plan in addition to a Microsoft Entra ID P2 or Microsoft Entra ID Governance license.

Note:
Access reviews capture a snapshot of access at the start of each review cycle. Any changes made during the review process will be reflected in the next review cycle. With each recurrence, Microsoft Entra PIM retrieves updated data on the users, resources, and reviewers involved in the review.

PIM Access Review

Discovery and Insights (preview)

If you're just beginning to use Privileged Identity Management (PIM) in Microsoft Entra ID to manage role assignments, the Discovery and Insights (preview) page is a great starting point. This feature provides an overview of who holds privileged roles in your organization and offers guidance on converting permanent role assignments into just-in-time assignments using PIM. You can also view and adjust permanent privileged role assignments directly from the Discovery and Insights (preview) page, which functions as both an analysis and action tool.

Microsoft recommends that organizations maintain two cloud-only emergency access accounts with permanent Global Administrator roles. These highly privileged accounts are not assigned to individuals but are reserved for emergency or "break glass" situations, such as when all other administrators are locked out. These accounts should be set up with Microsoft's emergency access account best practices.

Additionally, keep role assignments permanent if the user has a Microsoft account (e.g., an account used to sign in to services like Skype or Outlook.com). If multi-factor authentication is required for a user with a Microsoft account to activate a role, they may be locked out.

Discovery and Insights (preview)

Global Administrator role assignments. Discovery & Insights

Global Administrator role assignments. Discovery & Insights


Settings: tab displays the Microsoft Entra ID role configurations along with any modifications made to their settings.

Entra ID Role Settings

Resource Audit You can access the Microsoft Entra Privileged Identity Management (PIM) audit history to review all role assignments and activations for privileged roles over the past 30 days. To retain audit data beyond the default retention period, you can configure Azure Monitor to route the data to an Azure storage account.

Entra ID PIM Resource Audit

My audit: enables you to view your personal role activity.

Entra ID PIM my Audit


Validating Entra ID PIM Activation

Microsoft Entra Privileged Identity Management (PIM) streamlines the management of privileged access to resources in Microsoft Entra ID and other Microsoft online services such as Microsoft 365 and Microsoft Intune.

If you are designated as eligible for an administrative role, you must activate the role assignment when you need to perform privileged actions. When a role is activated, Microsoft Entra PIM temporarily assigns you the active role within seconds. Upon deactivation, either manually or when the activation period expires, Microsoft Entra PIM removes the active assignment just as quickly.

To activate a Microsoft Entra role, you can request activation by navigating to My roles in Privileged Identity Management. PIM is also accessible via the Azure mobile app (iOS | Android) for Microsoft Entra ID and Azure resource roles. Through the app, you can easily activate eligible assignments, request renewals for expiring roles, or track the status of pending requests.

To view and manage your roles, sign in to the Microsoft Entra admin center ,Search for Privileged Identity management

In the following example, the Admin is restricting users' access to the Entra Admin Portal. In such a scenario, you will only see the options listed below.


Microsoft Entra ID Admin Portal


Search for Microsoft Entra Privileged Identity management 
Microsoft Entra Privileged Identity management

Choose "My Roles" to activate the roles that are available.

PIM My Roles
Select "Microsoft Entra Roles," then activate a role from the eligible list. In this case, we will activate the Global Reader role.
Microsoft Entra Eligible Roles

Current Status of Active Assignments: There are no active assignments at the moment.

Entra PIM Active Assignments
When you press the activate button, a new banner will appear indicating that additional verification is required. This is because we have enabled MFA for Global Reader role activation. Click to continue.
PIM Entra Role activation


MFA verification will be prompted unless you are signed in with strong authentication.
MFA Verification Prompt
This role can be activated with a custom start time by selecting the Custom activation start time checkbox and specifying the desired date and time for activation. For the Global Reader role, the maximum activation time is set to 30 minutes, so you can only select up to 30 minutes. However, Admins can configure a maximum activation time of up to 24 hours in the Entra Roles settings. Enter a reason for activation and choose "Activate."

PIM Entra Role Activation


Since approval option is enabled for Global Reader role activation, the request will be submitted to the approver for approval.

PIM Approval Submitted

In Microsoft Entra Privileged Identity Management, you can view your submitted pending requests under "My Requests." If you wish to cancel a request, you can do so from this section.

PIM My requests
Now, let's log in as the approver. Navigate to Microsoft Entra Privileged Identity Management, then go to "Approve Requests."
PIM Approve Requests

In  Approve Requests choose Microsoft Entra Roles as we have requested Entra role access

Note: With Privileged Identity Management (PIM) in Microsoft Entra ID, you can configure roles to require approval for activation and assign one or more users or groups as delegated approvers. Delegated approvers have 24 hours to approve requests. If a request isn't approved within that 24-hour window, the eligible user will need to submit a new request. The 24-hour approval window is not configurable.

PIM Request for Role Activations

Review the request, and you can decide whether to approve or deny it. The request will include details such as the user who made the request, requested time, role activation start and end time, the reason for access, the and the requested role.

The approver needs to provide a justification for the approval and then select "Confirm."
PIM Approver justification


Now, let's switch back to the user and validate the activation status. Once the approval is complete, the user will be able to see their role as active in the "Active Assignments" tab in PIM.

If you wish to deactivate an activated role, you can do so by selecting the "Deactivate" button on the active role.

PIM Active Assignments
Note: When a role is assigned, the assignment:
  • Cannot be set for a duration of less than five minutes.
  • Cannot be removed within five minutes of being assigned.

The following email notification will be sent to the end-user when they are added to Entra Roles using PIM.
PIM Entra Role Assigned End user Notification

The following email notification will be sent to the Admin user when users are added to Entra Roles using PIM.
PIM Entra Role Assigned Admin Notification

The screenshot below shows the approval email notification sent to the approver assigned for the activation of that specific Entra role.

PIM Request for Approval ,Notification

The following screenshot displays the approval completion notification sent to the Requester & Approver

PIM Entra Role Approval Completed

The following email notification will be sent to the requester once their role is activated using PIM.

Entra PIM Role Activated Notification

The following email notification will be sent to the Admin once their role is activated using PIM.
Entra PIM Role Activated Admin Notification

Extend or Renew Microsoft Entra Role Assignments in PIM

Microsoft Entra Privileged Identity Management (PIM) provides tools to manage the access and assignment lifecycle for roles in Microsoft Entra ID. Administrators can assign roles with defined start and end dates. 

The following screenshot demonstrates how roles are configured with an expiration limit. Assignments can have a maximum duration of 1-year, ensuring periodic reviews and renewals of elevated permissions, which is critical for maintaining security best practices.
PIM with Expiring Assignments

As the assignment end date approaches, PIM sends email notifications to the affected users or groups, as well as to Microsoft Entra administrators, ensuring access is appropriately maintained. Assignments may be renewed and remain visible in an expired state for up to 30 days, even if the access is not extended.

Sample expiry Notification email shown below,
PIM Entra Role Expiry Warning email Notification
Only Global Administrators or Privileged Role Administrators have the ability to extend or renew Microsoft Entra role assignments. 
PIM Entra Role Admin Extend-Update
Below Screenshot shows Admin Initiated Extension option:
PIM Entra Role Admin Extend Option
Users or groups with roles nearing expiration can request an extension, and for already expired roles, they can request a renewal. PIM sends notifications to administrators and affected users or groups 14 days and one day before the role expires, with another notification sent when the assignment officially expires.
PIM Entra Role Expiry Notification


User Initiating Role Extension: The screenshot below demonstrates how a user initiates a role extension request. 
PIM Entra Role User Extend Option

User Requesting Extension with Justification: The screenshot below illustrates the process where a user requests an extension for their role assignment. The system prompts the user to provide a justification for the extension, ensuring accountability and that the extension aligns with organizational policies. This feature is essential for managing privileged access in a secure and controlled manner.

User Requesting Extension with Justification
When a user or group requests an extension or renewal for an expiring or expired role, administrators are notified. Once an administrator approves or denies the request, all other administrators are informed of the decision, and the requesting user or group is notified of the outcome.

Extension Request Received from User: The following screenshot displays the extension request submitted by a user. It highlights the details of the request, including the provided justification, allowing administrators to review and approve or deny the request based on organizational requirements and security policies.
PIM Extension Request Received from User

Admin Approving the request with justification
PIM Admin Approving the request with justification


Entra Role Extension Completed: The screenshot below shows the user's role after the requested extension has been successfully applied. The role now displays the updated expiration date reflecting the extension. Additionally, the Extend option is grayed out, indicating that the role is not set to expire within the next 30 days, preventing further extension requests until closer to the expiry date.

Entra Role Extension Completed

Conclusion

Managing privileged access effectively is essential for securing critical resources in any organization, and Microsoft Entra ID PIM offers a comprehensive solution to achieve this. In this first part, we explored the Entra role-based features of PIM, emphasizing how just-in-time access, approval workflows, and auditing can enhance security while maintaining flexibility.

As we continue this series, Part 2 will delve into how PIM can be used to manage Azure resources, extending privileged access management beyond identities. Part 3 will focus on PIM for Groups and Access Reviews, demonstrating how these features help streamline governance and ensure that access rights remain appropriate over time.

Stay tuned as we explore these additional capabilities and how they further strengthen your organization’s security posture.

Post a Comment

0 Comments