Microsoft Entra Privileged Identity Management configuration flow showing role eligibility, MFA activation, approval, and automatic expiry

πŸ› οΈ Step-by-Step: Configure Microsoft Entra Privileged Identity Management (PIM)

Posted 30 Dec 2025

βœ… Step 0 β€” Prerequisites (Don’t Skip)

Before you configure PIM, confirm:

  • You have the correct licensing for Entra PIM.
  • You have at least one β€œbreak-glass” account excluded from Conditional Access (stored securely).
  • You know which scope(s) you’re protecting:

 

  • Entra roles (e.g., Global Administrator, Privileged Role Administrator)
  • Azure RBAC roles (e.g., Owner, Contributor, User Access Administrator)

FABS Tip: Start with the highest-impact roles first: Global Admin, Privileged Role Admin, Owner, User Access Administrator.

πŸ” Part A: Configure PIM for Microsoft Entra Roles

Step 1 β€” Open PIM

  1. Go to Microsoft Entra admin center
  2. Navigate to: Identity Governance β†’ Privileged Identity Management
  3. Select: Microsoft Entra roles

Step 2 β€” Configure Role Settings (Activation Requirements)

  1. Choose a privileged role (e.g., Global Administrator)
  2. Open Role settings
  3. Configure Activation requirements, for example:

 

  • βœ… Require MFA on activation
  • βœ… Require justification
  • βœ… (Optional) Require ticket information (ServiceNow / Jira reference)
  • ⏱️ Set Maximum activation duration (e.g., 1–4 hours)
  • βœ… (Optional) Require approval for activation

Best practice: Short durations + MFA + justification should be your baseline.

Step 3 β€” Configure Notifications

In the same role settings:

 

  • Enable notifications to:

 

  • Admins when a role is activated
  • Users when they activate a role
  • Security teams for high-privilege elevation

This is one of the quickest wins for governance and auditing.

Step 4 β€” Assign Users as Eligible (Not Active)

  1. Go to Assignments
  2. Select Add assignments
  3. Choose the role
  4. Add users/groups as Eligible
  5. Set an assignment duration (where applicable)

βœ… Result: Users can elevate only when needed.

πŸ”‘ Part B: Configure PIM for Azure RBAC Roles (Subscriptions/Resources)

Step 5 β€” Onboard Azure Resources into PIM

In PIM, go to:

 

  • Azure resources β†’ Discover resources
  • Select the subscription(s) or management group(s)
  • Click Manage resource

This enables PIM controls for Azure RBAC roles.

Step 6 β€” Configure Azure RBAC Role Settings (Owner/Contributor)

  1. In Azure resources, select your subscription
  2. Go to Roles
  3. Choose roles like:
    • Owner
    • Contributor
    • User Access Administrator
  4. Configure activation:
    • βœ… Require MFA
    • βœ… Require justification
    • βœ… Optional approval
    • ⏱️ Duration (recommend 1–2 hours for high privilege)

FABS Tip: Treat β€œUser Access Administrator” as highly sensitive (it controls permissions).

Step 7 β€” Assign Eligible Roles at the Correct Scope

Assign eligible roles carefully:

 

  • Prefer Management Group scope for platform teams
  • Use Subscription scope for workload teams
  • Avoid broad assignments at tenant root unless truly required

Then:

 

  • Add assignments as Eligible
  • Limit assignment duration if possible

βœ… Part C: Operational Controls (Make PIM β€œStick”)

Step 8 β€” Configure Approval Workflow for Production Roles

For production subscriptions or identity admin roles:

  • Require approval for:

 

  • Owner
  • Global Administrator
  • Privileged Role Administrator
  • User Access Administrator

Approvers should be:

 

  • Security team
  • Platform leads
  • On-call duty managers

Step 9 β€” Enable Alerts & Auditing

In PIM:

  • Review Alerts regularly (e.g., too many admins, suspicious activations)
  • Use Audit history to track:

 

  • activations
  • role changes
  • approvals and denials

Best practice: Forward PIM logs to Sentinel / SIEM if you operate at enterprise scale.

Step 10 β€” Schedule Access Reviews

Use Access reviews to ensure eligible assignments remain valid:

 

  • Quarterly for standard privileged roles
  • Monthly for high-risk roles
  • Tie to joiner/mover/leaver processes

πŸ§ͺ Example Configuration (Recommended Baseline)

Here’s a strong baseline for most Azure production environments:

 

Role: Owner (Production subscription)

  • Eligible assignment only
  • Require MFA βœ…
  • Require justification βœ…
  • Require approval βœ…
  • Activation duration: 1–2 hours ⏱️
  • Ticket required: Optional (recommended for ITIL environments) βœ…
  • Notifications: Admin + approver + user βœ…

🧠 FABS Solutions Best Practices Checklist

βœ” Remove all permanent Owner/Global Admin assignments (except break-glass)
βœ” Use PIM eligible roles as the default model
βœ” Require MFA + justification for all privileged activations
βœ” Require approval for production and identity admin roles
βœ” Keep activation windows short
βœ” Audit role activations and review access regularly

πŸ“˜ References (Keep These Links)

Microsoft Entra Privileged Identity Management activation flow showing eligible role assignment, MFA verification, approval workflow, time-limited access, and audit logging

Click Here To Return To Blog

GET IN TOUCH

  • info@fabssolutions.co.uk
  • 079 3357 5993
Stay Connected