Back to Plan and Automate Identity Governance

PIM for Microsoft Entra Roles

5 minutes 5 Questions

Privileged Identity Management (PIM) for Microsoft Entra Roles is a critical feature within Microsoft Entra ID (formerly Azure AD) that enables organizations to manage, control, and monitor access to privileged roles. It follows the principle of least privilege by providing just-in-time (JIT) privi…

Privileged Identity Management (PIM) for Microsoft Entra Roles

Why PIM for Microsoft Entra Roles Is Important

In any organization, privileged roles such as Global Administrator, Exchange Administrator, or Security Administrator grant extensive access to sensitive resources and configurations. If these roles are permanently assigned, the attack surface increases significantly. A compromised account with a standing privileged role assignment can cause catastrophic damage. Privileged Identity Management (PIM) for Microsoft Entra Roles addresses this risk by enforcing the principle of least privilege and just-in-time (JIT) access. It ensures that users only have elevated permissions when they genuinely need them, and only for a limited duration.

From a compliance perspective, PIM provides a full audit trail of who activated which role, when, and why. This is essential for meeting regulatory requirements and passing security audits. For the SC-300 exam, understanding PIM is critical because it sits at the intersection of identity governance, zero trust, and privileged access management — all core themes of the exam.

What Is PIM for Microsoft Entra Roles?

Privileged Identity Management (PIM) is a feature within Microsoft Entra ID (formerly Azure AD) that allows organizations to manage, control, and monitor access to privileged roles. Specifically, PIM for Microsoft Entra Roles focuses on directory-level roles such as:

- Global Administrator
- User Administrator
- Security Administrator
- Exchange Administrator
- Privileged Role Administrator
- And many more built-in and custom Entra roles

PIM introduces two key assignment types:

1. Eligible Assignment: The user does not have the role actively. They must go through an activation process to use it. This is the core of just-in-time access.

2. Active Assignment: The user has the role assigned and active without needing to activate it. This can still be time-bound.

PIM requires a Microsoft Entra ID P2 (or Microsoft Entra ID Governance) license.

How PIM for Microsoft Entra Roles Works

The lifecycle of PIM for Entra Roles involves several stages:

Step 1: Assignment
A Privileged Role Administrator or Global Administrator assigns a user (or group) as eligible for a role. The assignment can be permanent-eligible (no end date) or time-bound eligible (with a start and end date). At this point, the user does NOT have the role permissions.

Step 2: Activation
When the user needs the privileged role, they navigate to PIM in the Microsoft Entra admin center (or My Access portal) and request activation. During activation, the following can be enforced:

- Maximum activation duration: Typically between 30 minutes and 24 hours (default is 8 hours). The administrator configures the maximum allowed duration, and the user can choose a duration up to that maximum.
- Justification: The user may be required to provide a reason for activation.
- Ticket information: The user may need to supply a ticket number linked to a change request or incident.
- Multi-Factor Authentication (MFA): MFA can be required on activation, ensuring an additional layer of verification.
- Approval: One or more designated approvers may need to approve the activation request before the role becomes active.
- Conditional Access authentication context: You can require a specific authentication context (Conditional Access policy) at activation time.

Step 3: Active Role Usage
Once activated (and approved, if required), the user has the role for the configured duration. They can perform administrative tasks associated with that role. When the duration expires, the role is automatically deactivated.

Step 4: Deactivation
The role is removed automatically after the activation period expires. The user can also manually deactivate the role early if they no longer need it.

Key PIM Role Settings

For each Entra role, administrators can configure the following settings:

- Activation maximum duration: How long the role can remain active per activation (0.5 to 24 hours).
- Require MFA on activation: Forces the user to complete MFA before the role is granted.
- Require justification on activation: User must explain why they need the role.
- Require ticket information on activation: User must provide a ticket or incident number.
- Require approval to activate: Designate one or more approvers who must approve the activation request.
- Assignment settings: Whether permanent eligible assignments are allowed, whether permanent active assignments are allowed, and the maximum duration for each.
- Notification settings: Configure email notifications for role assignments, activations, and approvals. Notifications can be sent to the admin, the end user, and additional recipients.

Access Reviews in PIM

PIM integrates with Access Reviews to periodically review whether users still need their eligible or active role assignments. This is a governance mechanism that ensures role assignments do not become stale over time. Access reviews can be configured to:

- Run on a recurring schedule (weekly, monthly, quarterly, annually)
- Be reviewed by the users themselves (self-review), managers, or specific reviewers
- Automatically remove access if the reviewer does not respond or denies continued access

Alerts and Audit

PIM provides built-in alerts for risky configurations, such as:
- Too many Global Administrators
- Roles being assigned outside of PIM
- Eligible assignments that are never activated (stale assignments)
- Potential stale role assignments

All PIM activities are logged in the Microsoft Entra audit logs, providing a full trail for compliance and forensic purposes. Audit logs capture who made the assignment, who activated, who approved, and when roles expired.

PIM for Groups

An important related concept is PIM for Groups (also called Privileged Access Groups). Instead of making individual users eligible for a role, you can create a role-assignable group, assign the Entra role to the group, and then use PIM to manage eligible membership or ownership of that group. When a user activates their group membership, they inherit the roles assigned to the group. This simplifies management at scale.

Key Concepts to Remember for SC-300

- PIM provides just-in-time privileged access, not just-in-time regular access.
- Eligible means the user CAN activate the role; Active means the role is already granted.
- PIM requires Microsoft Entra ID P2 licensing.
- The Privileged Role Administrator role is required to manage PIM settings and assignments (along with Global Administrator).
- MFA, justification, approval, and ticket information are all configurable per role.
- Access Reviews can be used alongside PIM to periodically validate role assignments.
- PIM audit logs capture the full lifecycle of role assignments and activations.
- Activation duration is configurable and temporary — roles automatically expire.
- PIM can be used for both Microsoft Entra roles and Azure resource roles (these are separate scopes in PIM).

Exam Tips: Answering Questions on PIM for Microsoft Entra Roles

1. Distinguish Eligible vs. Active: Many exam questions test whether you understand the difference. If a question asks how to ensure a user does NOT have standing administrative access, the answer involves making them eligible (not active) for the role.

2. Know the licensing requirement: PIM requires Microsoft Entra ID P2. If a scenario mentions an organization with only P1 or free licenses, PIM is not available.

3. Understand approval workflows: If a question describes a scenario where a manager must approve before an admin can use a role, you need to configure Require approval to activate in the PIM role settings and designate the manager as an approver.

4. MFA on activation: Questions may ask how to add an extra layer of security when a user activates a privileged role. The answer is to require MFA on activation in the PIM role settings. Note that with Conditional Access integration, you may also see questions about authentication context.

5. Maximum activation duration: If the question states that an admin should only have Global Administrator access for a maximum of 2 hours, you configure the activation maximum duration to 2 hours in the role settings.

6. Access Reviews + PIM: Exam questions may combine PIM with access reviews. If a question asks how to ensure that eligible role assignments are periodically validated, the answer is to configure an access review targeting the PIM role assignments.

7. Notifications: If a question asks how to alert a security team when someone activates a sensitive role, the answer involves configuring PIM notification settings to send emails to the security team on role activation.

8. Alerts: If a question describes an organization that wants to detect when too many users are permanently assigned to Global Administrator, PIM's built-in alerts address this scenario.

9. PIM for Groups vs. Direct Role Assignment: If a scenario involves managing PIM for a large number of users who need the same role, PIM for Groups (Privileged Access Groups) is the most efficient approach. Make the group role-assignable, assign the Entra role to the group, and then manage group membership eligibility through PIM.

10. Scope of PIM: Remember that PIM covers both Microsoft Entra roles and Azure resource roles. Exam questions will specify which scope is being discussed. Entra roles govern directory-level operations; Azure resource roles govern Azure subscriptions, resource groups, and resources.

11. Who can manage PIM? The Privileged Role Administrator can manage PIM for Entra roles. The Global Administrator can also manage PIM. Regular users cannot configure PIM settings — they can only activate roles they are eligible for.

12. Read the scenario carefully: Many PIM questions present a scenario and ask which setting to configure. Pay close attention to keywords like approval, justification, time-limited, periodic review, and notification — each maps to a specific PIM configuration option.

13. Permanent vs. Time-bound: Questions may test whether you know that eligible assignments can be permanent (no expiry on the eligibility) while still requiring activation each time. A permanently eligible user still needs to activate the role — they just don't lose their eligibility. This is different from a permanently active assignment, where the role is always on.

14. Emergency access accounts: Best practice is to have at least one emergency (break-glass) account with a permanent active Global Administrator assignment that is excluded from PIM activation requirements and Conditional Access policies. Exam questions may test this scenario.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Unlock Premium Access

Microsoft Identity and Access Administrator + ALL Certifications

Access to ALL Certifications: Study for any certification on our platform with one subscription
3060 Superior-grade Microsoft Identity and Access Administrator practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
SC-300: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More PIM for Microsoft Entra Roles questions

45 questions (total)

Start 45 question test