top of page
Search

šŸ§© Part 7: Privileged Identity Management

  • Writer: BjĆørnar Aassveen
    BjĆørnar Aassveen
  • 4 days ago
  • 2 min read

Secure rights when you need them


Why PIM?


In many organizations, users have permanent privileges that they rarely needā€”such as global administrator, SharePoint admin, or Intune admin. This increases the risk of errors, abuse, and attacks.


Privileged Identity Management (PIM) in Microsoft Entra ID lets you grant temporary access to sensitive roles, with authorization, notification, and logging. You get just-in-time access, better security, and full visibility.


šŸ” What is PIM?


PIM is a feature in Entra ID that allows you to:

  • Make roles eligible instead of permanent

  • Require activation before use

  • Add approval, MFA and justifications

  • Get notifications and log all activations


šŸ§‘ā€šŸ’¼ PIM for roles


This is the classic use of PIM: You make a user eligible for a role (e.g. Exchange Administrator), and the user must activate the role when it is needed.

Example:


  • Ola is entitled to the role "SharePoint Administrator"

  • When he needs access, he activates the role in the Entra portal

  • He may have to provide justification, approval and/or MFA

  • The access lasts for e.g. 4 hours, and is logged


šŸ‘„ PIM for groups


PIM can also be used on groups - especially useful when you have many roles to be assigned together.


What's the difference?

Feature

PIM for Roles

PIM for Groups

User gets

One Role

All rights for the group has

Area of use

Single roles

All rights packages

Typical use

Admin roles

Project roles, DevOps, security groups

Benefit

Precise control

Scalability and easy administration

When should you use PIM for groups?


Use PIM for groups when:

  • Multiple users need the same set of rights

  • You want to delegate access management

  • You want to combine roles and resource access in one package


Example:

You have a group "Project X Admins" that has:

  • Teams ownership

  • SharePoint editing

  • Entra role: Teams Administrator

Users activate membership in the group via PIM

They gain all access in one operation ā€“ and automatically lose it afterwards


Best practices

  • Use PIM for roles when there are few users and specific roles

  • Use PIM for groups when you have many users with similar needs

  • Require approval and justification for sensitive roles

  • Monitor activations and use alerts

  • Combine with Access Reviews for regular assessment


Limitations

  • Requires Microsoft Entra ID P2

  • Not all roles support PIM (but most do)PIM for grupper krever at gruppen er aktivert for PIM og at den brukes i tilgangsstyring


šŸš€Next Steps

In the next and final post, weā€™ll look at holistic access management in practice ā€“ how you can combine all the tools weā€™ve looked at in the series to build a secure, efficient, and automated identity platform.


BjĆørnar&AI

Comments

bottom of page