Microsoft Entra ID · Privileged Identity Management
PIM Approver
Designated as approver for PIM role activation requests. Can approve or deny activation requests but cannot modify PIM settings.
Scope: Role activation approval authority for designated roles
Permissions
- Approvals - Approve or deny role activation requests
- Requests - View pending activation requests
- Justification - Provide approval justification
- Request Details - View activation request details and context
- Notifications - Receive notification of pending approvals
- Limitation - Cannot modify PIM settings or configurations
- Limitation - Cannot grant or revoke role eligibility
Common use cases
- Manager approval for subordinate access elevation
- Security team approval for sensitive roles
- Compliance-required approval workflows
- Separation of duties enforcement
- Change management approval integration
- Emergency access approval authority
Best practices
- Assign multiple approvers for redundancy
- Set reasonable approval SLAs
- Configure backup approvers for availability
- Review approval history periodically
- Document approval decision criteria
- Ensure approvers understand role scope
- Coordinate with role owners on approval policies
- Set up mobile notifications for urgent approvals
Security considerations
- Approvers control access to privileged roles
- Ensure approvers are appropriate for role scope
- Monitor for rubber-stamp approval patterns
- Review approver assignments regularly
- Consider multiple approvers for critical roles
- Alert on approval without justification review