The Standing Privilege Problem
Here is a standard test for every tenant assessment: open the Entra ID portal, navigate to Roles and administrators, and count the number of users permanently assigned to Global Administrator. The average across typical assessments is seven. Seven users with 24/7/365 unrestricted access to every mailbox, every file, every identity in the organisation.
Now consider that 60% of breaches involve credential compromise. A single phished Global Admin credential - even with MFA, if using push-based methods vulnerable to fatigue attacks - gives an adversary complete tenant control. They can create backdoor accounts, disable security logging, exfiltrate mailboxes, and wipe audit trails.
Privileged Identity Management (PIM) eliminates this by converting permanent role assignments to eligible assignments that require explicit activation with MFA, justification, and optionally approval. The user has zero standing privileges until they activate, and the activation expires after a defined window.
Pre-Deployment Assessment
Before touching PIM configuration, audit your current state:
# Get all permanent Global Admin assignments
Get-MgDirectoryRoleMember -DirectoryRoleId (
Get-MgDirectoryRole -Filter "displayName eq 'Global Administrator'"
).Id | Select-Object Id, DisplayName, UserPrincipalName
# Get all permanent role assignments across all roles
Get-MgRoleManagementDirectoryRoleAssignment -All |
Where-Object { $_.AssignmentType -eq 'Permanent' } |
ForEach-Object {
$role = Get-MgRoleManagementDirectoryRoleDefinition -UnifiedRoleDefinitionId $_.RoleDefinitionId
[PSCustomObject]@{
Role = $role.DisplayName
Principal = $_.PrincipalId
}
}
Document every permanent assignment. For each, determine: Does this user need this role permanently, or can they activate on demand? In practice, over 90% of permanent assignments can be converted to eligible.
Role Configuration Strategy
Not all roles are equal. Configure PIM settings per role based on blast radius:
Tier 0 - Critical Roles (Global Admin, Exchange Admin, SharePoint Admin, Security Admin)
- Maximum activation duration: 2 hours
- Require justification on activation: Yes
- Require approval: Yes - approval by a Security Operations team member
- Require MFA on activation: Yes (enforce phishing-resistant via CA Authentication Strength)
- Require ticket information: Yes - link to change request or incident ticket
- Send notification on activation: Yes - email to SOC distribution list and push to Sentinel via diagnostic settings
Tier 1 - Sensitive Roles (User Admin, Groups Admin, Intune Admin, Compliance Admin)
- Maximum activation duration: 4 hours
- Require justification on activation: Yes
- Require approval: No (self-service with audit trail)
- Require MFA on activation: Yes
- Require ticket information: Optional
- Send notification on activation: Yes - email to IT management
Tier 2 - Operational Roles (Helpdesk Admin, Reports Reader, Message Centre Reader)
- Maximum activation duration: 8 hours
- Require justification on activation: Yes
- Require approval: No
- Require MFA on activation: Yes
- Send notification on activation: No
Step-by-Step Configuration
1. Enable PIM and Configure Role Settings
Navigate to Entra ID > Identity Governance > Privileged Identity Management > Microsoft Entra roles > Settings.
For each role, click the role name and configure:
- Activation tab: Set maximum duration, require MFA, require justification, require ticket info, require approval (select approvers)
- Assignment tab: Set "Allow permanent eligible assignment: No" and "Expire eligible assignments after: 12 months" (forces annual re-certification)
- Notification tab: Configure email recipients for role activation, assignment, and approval events
2. Convert Permanent Assignments to Eligible
For each permanent assignment identified in the audit:
- Navigate to PIM > Microsoft Entra roles > Assignments
- Click the role, find the permanent member
- Click Update and change from "Permanently assigned" to "Eligible"
- Set an end date 12 months out
Critical: Do not convert all assignments simultaneously. Convert one role at a time, starting with the least critical. Validate that affected users can successfully activate before proceeding to the next role.
3. Configure Break-Glass Account Exceptions
Your break-glass accounts (see separate article) must retain permanent Global Admin assignment. PIM activation requires MFA, and break-glass accounts are designed for scenarios where MFA infrastructure is unavailable.
Document this exception in your risk register. Monitor break-glass account sign-ins via Sentinel (covered below).
4. Configure Access Reviews
Under PIM > Microsoft Entra roles > Access reviews, create recurring reviews:
- Frequency: Quarterly for Tier 0, semi-annually for Tier 1, annually for Tier 2
- Reviewers: Role assignees review their own access, with a fallback reviewer of the Security team
- Auto-apply results: Yes - if a user does not respond, remove their eligible assignment
- Scope: All eligible and active assignments
5. Enable Diagnostic Logging to Sentinel
Navigate to Entra ID > Diagnostic settings > Add diagnostic setting. Enable:
- AuditLogs
- SignInLogs
- RiskyUsers
- UserRiskEvents
Send to your Log Analytics workspace. Then create Sentinel analytics rules:
AuditLogs
| where OperationName == "Add member to role in PIM completed (permanent)"
| extend TargetUser = tostring(TargetResources[0].displayName)
| extend Role = tostring(TargetResources[0].modifiedProperties[1].newValue)
| project TimeGenerated, TargetUser, Role, InitiatedBy
This alerts on any permanent role assignment, which should never occur outside break-glass accounts after PIM deployment.
Common Mistakes
1. Not testing activation before converting production admins. Always have the affected admin perform a test activation in a browser side-by-side before removing their permanent assignment.
2. Setting activation duration too short. A 30-minute window sounds secure but causes operational chaos. Engineers performing Exchange migrations or SharePoint restructuring need realistic windows. Start at 4 hours and tighten based on usage data after 90 days.
3. Forgetting service accounts. Service principals with permanent admin role assignments bypass PIM entirely. Audit these separately and consider Workload Identity Conditional Access.
4. Not configuring fallback approvers. If your sole approval group member is on holiday and a Tier 0 activation is blocked, you have a denial-of-service on your own administration. Always configure at least two approvers.
5. Ignoring Azure resource PIM. PIM covers both Entra ID roles and Azure RBAC roles. Many organisations deploy PIM for Entra but leave standing Owner/Contributor access on Azure subscriptions. Configure both.
Measuring Success
After 90 days, pull activation metrics:
# PIM activation audit events over 90 days
$startDate = (Get-Date).AddDays(-90).ToString("yyyy-MM-dd")
Get-MgAuditLogDirectoryAudit -Filter "activityDateTime ge $startDate and category eq 'RoleManagement'" |
Where-Object { $_.ActivityDisplayName -like "*PIM*" } |
Group-Object ActivityDisplayName |
Select-Object Name, Count
Target metrics: zero permanent assignments outside break-glass accounts, 100% activation with justification, and mean activation duration trending downward as teams optimise their workflows.