Microsoft Entra Privileged Identity Management (PIM) manages and monitors access to Azure roles. Access to Azure resources and Microsoft online services is on-demand and time-restricted.
Users can request privileged roles online. An administrator can approve or deny the request afterwards. The role removes automatically after the specified duration expires.

Microsoft Entra Privileged Identity Management (PIM) can minimize the following risks:

  • Number of users and their authorization duration on privileged roles are reduced to a minimum
  • Users are better protected against accidental compromise of sensitive data. (no unnecessary privileged roles when they are not needed).
  • Attackers do not get privileged access

This guide configures Microsoft Entra Privileged Identity Management (PIM) for Azure AD and Azure Roles.

Prerequisites and Licensing

For Microsoft Entra Privileged Identity Management (PIM), one of the following licenses is required:

  • Microsoft Entra ID P2
  • Enterprise Mobility + Security E5

An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com.

Microsoft Entra Privileged Identity Dashboard

The Microsoft Entra Privileged Identity Management (PIM) dashboard is located in the Azure Portal (https://portal.azure.com). All options for Microsoft Entra Privileged Identity Management (PIM) are configured from this dashboard.

In the All services menu, under the category Identity, select the Microsoft Entra Privileged Identity Management resource.

Sponsored Links

Microsoft Entra Privileged Identity Management: Onboarding for Microsoft Entra roless

Configuring Microsoft Entra roles Settings

View the default values of a role and customize them according to company policies.

To do this, open the settings under Microsoft Entra roles > Settings and select the role.

All displayed values can be adjusted via “Edit”.

The example below shows a customized configuration for the Intune Administrator role:

  1. Maximum activation time of active assignment of the role to a user.
  2. Multi-factor authentication is required for role activation.
  3. When applying for the permit, a justification must be given.
  4. A support ticket number for activation is required.
  5. The release is confirmed by another user (4-eyes principle).
    If multiple users or user groups are approved for role activation, confirmation of one user is sufficient to complete the request.
    If no users or user groups are selected, the approval request is sent to all global administrators and privileged role administrator.
  1. Time period in which a user can request an Microsoft Entra role.
  2. Time period during which a user can have an Microsoft Entra role enabled.
  3. Multi-factor authentication is required for role activation.
  4. Justification is required for active assignments.

Under “Notification” additional recipients of notifications are added. If no additional recipients are added, the following people will receive the notification

  • Requester (user)
  • global administrators
  • privileged role administrator

Assign permission for Microsoft Entra roles

Users must be authorized to obtain an Microsoft Entra roles via Microsoft Entra Privileged Identity Management (PIM). Built-in as well as custom Microsoft Entra roles can be assigned.

To assign Microsoft Entra roles, go to Microsoft Entra roles > roles > Add assignments.

Select Azure AD Rolle (1) and assign it (2).
The assignment can be made to users and user groups.
The Scope type can be restricted for some roles, e.g. for the “User Administrator” role (3).

Select the assignment type (1).

  • Eligible: User must actively request the role
  • Active: Role is assigned to the user permantly

The second part specifies the duration of the authorization (2).
For the indication of the duration it is important to understand the following:

Eligible
The duration specifies how long the user can request the Microsoft Entra role. The period specified here does not affect the maximum time the role is actively assigned. This period is specified in the properties of the role, which is described in the chapter Configuring Entra role settings.

Active
The Microsoft Entra role is automatically assigned to the user in the specified time period.

Microsoft Entra Privileged Identity Management: Onboarding for Azure Roles

Preparing Azure Roles for PIM

In order to manage Azure roles with Microsoft Entra Privileged Identity Management (PIM), the subscription for PIM must first be prepared.

Azure resources > Discover resources

Next, select the Azure Subscription, click Manage resource and confirm onboarding.

Assign permission for Azure roles

Just like assigning Microsoft Entra roles, users must be authorized for Azure roles. To assign an Azure role, select the subscription under “Privileged Identity Management” > “Azure resources” and then “Add assignment”.

The rest of the configuration is identical to the Microsoft Entra roles permission assignments and can be read here.


Follow me on LinkedIn and get informed about my latest posts.

Sponsored Links