Microsoft Entra ID · Privileged Identity Management
PIM Approval
Workflow designation, not a Microsoft Entra role. PIM role settings name one or more users or groups as delegated approvers for activation requests.
Scope: Role activation approval authority for designated roles
Permissions
- Approvals - Approve or deny role activation requests
- Requests - View pending activation requests
- Justification - Provide approval justification
- Request Details - View activation request details and context
- Notifications - Receive notification of pending approvals
- Limitation - Cannot modify PIM settings or configurations
- Limitation - Cannot grant or revoke role eligibility
Common use cases
- Manager approval for subordinate access elevation
- Security team approval for sensitive roles
- Compliance-required approval workflows
- Separation of duties enforcement
- Change management approval integration
- Emergency access approval authority
Best practices
- Assign multiple approvers for redundancy
- Set reasonable approval SLAs
- Configure backup approvers for availability
- Review approval history periodically
- Document approval decision criteria
- Ensure approvers understand role scope
- Coordinate with role owners on approval policies
- Set up mobile notifications for urgent approvals
Security considerations
- Approvers control access to privileged roles
- Ensure approvers are appropriate for role scope
- Monitor for rubber-stamp approval patterns
- Review approver assignments regularly
- Consider multiple approvers for critical roles
- Alert on approval without justification review
Common questions
When should I assign the PIM Approval role?
Assign PIM Approval when you need to: Manager approval for subordinate access elevation; Security team approval for sensitive roles; Compliance-required approval workflows; Separation of duties enforcement; and Change management approval integration. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the PIM Approval role do?
The PIM Approval role grants permissions including: Approvals - Approve or deny role activation requests; Requests - View pending activation requests; Justification - Provide approval justification; Request Details - View activation request details and context; Notifications - Receive notification of pending approvals; and Limitation - Cannot modify PIM settings or configurations. See the Permissions section above for the full list.
What are the security risks of the PIM Approval role?
Key considerations when assigning PIM Approval: Approvers control access to privileged roles; Ensure approvers are appropriate for role scope; Monitor for rubber-stamp approval patterns; and Review approver assignments regularly. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.