Microsoft Entra Privileged Identity Management (PIM) optimizes the management of privileged roles to Microsoft Azure and Microsoft 365 resources. This contributes to the improvement of the security standards of cloud services. An additional feature is the Just-in-Time authorization, where a user is granted elevated privileges only for the period in which they are actually needed. This minimizes the risk of misuse and unauthorized access.

This guide explains how a user can apply for a Microsoft Entra role or Microsoft Azure role for a specific period of time and how an administrator can efficiently manage this requests.

Prerequisites and Licensing

For the Microsoft Entra Privileged Identity Management (PIM) feature, one of the following licenses is required:

  • Microsoft Entra ID P2
  • Enterprise Mobility + Security E5

An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com.

In order to have the authority to approve or deny requests for Microsoft Entra roles or Microsoft Azure roles, it is necessary to be a member of one of the following Microsoft Entra roles:

  • Global Administrator
  • Privileged Role Administrator

The basic configuration of Microsoft Entra Privileged Identity Management (PIM) is complete. The instructions for the configuration can be found here.

User Activation of Microsoft Entra roles or Microsoft Azure roles

Every user has the ability to independently activate their assigned Microsoft Entra roles or Microsoft Azure roles. This can be done by the user in the Microsoft Entra admin center or via the Microsoft Authenticator App.

Activation in the Microsoft Entra Admin Center

The user interface of Microsoft Entra Privileged Identity Management (PIM) is seamlessly integrated into the Microsoft Entra admin center (https://entra.microsoft.com). Through this intuitively designed interface, users can request privileged Microsoft Entra roles or Microsoft Azure roles.

Access User Interface in Microsoft Entra admin center (https://entra.microsoft.com) > Identity governance > Privileged Identity Management > My Roles.

The available roles are shown under Microsoft Entra roles (1) > Eligible assignments or Azure resources (2) > Eligible assignments.

Select the desired role by Activate.

The additional details for the role are shown for editing and can be filled out.

  1. The start time for the role is specified at Custom activation start time. If the role is to be active immediately after approval, this option must be deactivated.
  2. Specify the duration, the maximum duration has been adjusted in the basic configuration of the role.
  3. Ticket information
  4. Reason for requesting the role, this is communicated to the approver.

After clicking Activate, the activations are checked. If the permissions were activated without a custom start time, the website is automatically reloaded. This allows the permissions to be applied immediately.

After the request has been approved or denied, a corresponding notification is sent via email.

The end time of a Microsoft Entra role (1) or Microsoft Azure role (2) is shown under Active assignments.

Activation with the Microsoft Authenticator App

The Microsoft Authenticator App, available for iOS and Android, allows for a convenient activation of Microsoft Entra roles or Microsoft Azure roles directly via the mobile device.

The available roles are shown in the Microsoft Authenticator App under Privileged Identity Management > Manage my roles > Microsoft Entra roles (1) or Microsoft Azure roles (2).

Authenticator App manage my roles

Click on the desired role.

Authenticator App select role

Click on Activate under action.

Authenticator App activate role

The additional details for the role are shown for editing and can be filled out.

  1. The start time for the role is specified at Activation start time. If the role is to be active immediately after approval, this option must be deactivated.
  2. Specify the duration, the maximum duration has been adjusted in the basic configuration of the role.
  3. Ticket information
  4. Reason for requesting the role, this is communicated to the approver.
Authenticator App activation info

After the Activate button has been clicked, the activations are checked.

Authenticator App activation in progress

After the request has been approved or denied, a corresponding notification is sent via email.

Authenticator App activation notification

The end time of a Microsoft Entra role or Microsoft Azure role is shown under Privileged Identity Management > Manage my roles > Microsoft Entra roles or Microsoft Azure roles > Active.

Authenticator App activation duration

Approve or deny requests for activation of Microsoft Entra roles or Microsoft Azure roles

The request can be further processed in the Microsoft Entra admin center or in the Microsoft Authenticator App.

Microsoft Entra admin center

As soon as a Microsoft Entra role or Microsoft Azure role is requested, all approval-eligible administrators are notified. If no specific administrators were set during the basic configuration of the role, all users with the following Microsoft Entra roles receive a notification:

  • Global Administrator
  • Privileged Role Administrator

By simply clicking on Approve or deny, the request can be processed immediately.

Microsoft Entra Privileged Identity Management now shows all pending requests for approval for Microsoft Entra roles and Microsoft Azure roles. These pending requests can either be approved or denied.

PIM Approve activation

The decision on whether the request is approved or denied will be communicated to the requester via email.

Microsoft Authenticator App

The Microsoft Authenticator App, available for iOS and Android, allows for a convenient approval or denial of Microsoft Entra roles or Microsoft Azure roles directly from the mobile device.

The pending requests are shown in the Microsoft Authenticator App under Privileged Identity Management > Approve Requests > Microsoft Entra roles or Microsoft Azure roles.

Approve roles

Select request

Select role

Select Approve

Approve or deny role

Fill out the reason for approval and click Approve.

Reason for approval

The request has been successfully approved.

Request approved

The decision on whether the request is approved or denied will be communicated to the requester via email.


Follow me on LinkedIn to always stay updated on my recent posts.

Follow on LinkedIn

Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!

Buy me a coffee