Microsoft Entra Privileged Identity Management (PIM) simplifies administration of privileged access to resources in Azure and Microsoft 365. This enhances the security of cloud services. A user get priviliged access only for the period in which they are really necessary (Just-in-Time).

This guide shows how the user can request an Azure role for a specific period of time and how an administrator manages this request.

Prerequisites and Licensing

For the Microsoft Entra Privileged Identity Management (PIM) feature, one of the following licenses is required:

  • Microsoft Entra ID P2
  • Enterprise Mobility + Security E5

An overview of Microsoft 365 license packages with their features can be found at https://m365maps.com.

The basic configuration of Microsoft Entra Privileged Identity Management (PIM) is complete. The instructions for the configuration can be found here.

Microsoft Entra Privileged Identity Dashboard

The Microsoft Entra Privileged Identity Management (PIM) dashboard is located in the Azure Portal (https://portal.azure.com). From this dashboard, the user requests the privileged Microsoft Entra roles and Azure roles.

In the All services menu, under the category Identity, select the Microsoft Entra Privileged Identity Management resource.

Request an Microsoft Entra Role or Azure role by the user

Each user can independently request the Microsoft Entra roles or Azure roles assigned to them. Eligible roles are listed under My roles > Microsoft Entra roles or My roles > Azure resources.

Select the required role an click “Activate”.

The additional details for the role are displayed and can be filled in.

  1. The start time for the Azure role is specified at “Custom activation start time”. If the Azure role is to be active immediately after approval, this option must be deactivated.
  2. Specify the duration, the maximum duration has been adjunsted in the basic configuration of the role.
  3. Ticket information
  4. Reason for requesting the Azure role, this is communicated to the approver.

Simultaneously with the confirmation for the authorization request, the request is sent to all approvers by email.

After approval or rejection of the request by an approver, the applicant will be notified by email.

The roles with time of expiration are shown in Active assignments under Microsoft Entra roles or Azure resources.

Sponsored Links

Confirming a requested Microsoft Entra role or Azure role by an administrator

All approval-authorized accounts receive a notification as soon as an Azure role has been requested. If no explicit accounts were defined in the basic configuration of the role, all users with one of the following Azure AD permissions receive the notification:

  • global administrators
  • privileged role administrator

Click on Approve or deny request to process the request directly.

Microsoft Entra Privileged Identity Management (PIM) now displays Approve requests and all request for Microsoft Entra roles and Azure roles.
The request can be approved or denied.

The decision on approval or denial of the request is sent by email.

Show all active roles

All active roles are listed under Privileged Identity Management > Microsoft Entra roles or Privileged Identity Management > Azure resources.


Follow me on LinkedIn and get informed about my latest posts.

Sponsored Links