Microsoft Entra ID · Privileged Identity Management
PIM Administrator
Can manage all aspects of Privileged Identity Management including settings, eligible assignments, and approval workflows. This role is equivalent to Privileged Role Administrator for PIM purposes.
Scope: Full Privileged Identity Management configuration and governance
Permissions
- PIM - Full PIM management
- PIM Settings - Configure PIM settings for all Entra roles
- Approvals - Approve or deny role activation requests
- Workflows - Configure approval workflows and approvers
- Activation - Set activation requirements (MFA, justification, ticket)
- Duration - Configure activation duration limits
- Audit - Review PIM audit logs and history
- Role Assignments - Manage eligible and active role assignments
- Notifications - Configure notifications for role activations
- Alerts - Set up PIM alerts and thresholds
- PIM for Groups - Manage PIM for Groups settings
Common use cases
- Just-in-time access implementation
- Role activation workflow management
- Privileged access governance
- Approval process configuration
- PIM policy standardization
- Activation alerting configuration
- Emergency access procedure setup
- Compliance audit support
Best practices
- Limit to 2-3 people maximum
- Use PIM for this role itself
- Review activation patterns regularly
- Configure alerting for sensitive role activations
- Require MFA and justification for all roles
- Set reasonable activation durations
- Configure multiple approvers for critical roles
- Document PIM policies and procedures
- Review and archive historical activations
- Test emergency access procedures regularly
Security considerations
- Can grant persistent admin access if misconfigured
- Can disable approval requirements
- Can modify activation settings for all roles
- Very high privilege role - protect carefully
- Monitor for PIM setting changes
- Alert on eligible assignment changes
- Audit all PIM configuration modifications
- Consider requiring two-person approval