PIM – Privileged Identity Management

In an Entra ID tenant there are several roles for different levels of administrator access, and the top level administrator role is “Global administrator” who has the keys to the kingdom and can practically do what ever they want to do in the tenant. Because of this, these types of accounts are of course the primary target for any intruder in your environment, and you should absolutely put some extra effort in securing these accounts. Here is where Privileged Identity Management (PIM) comes into play.

PIM allows you to set a user as eligible or active member of a role, either temporary or permanently, enabling “JIT” which stands for “Just in Time” and is a core part of the Zero Trust framework. You can also set some additional requirements in this context of elevating privileges. I will explain this in detail in a later post.

RBAC – Role-Based Access Control

While not directly a part of PIM, RBAC is closely related to PIM and is (and should) often used together. RBAC is a as simple as delegating limited administrator role instead of providing Global Admin access. Global Admin is almost always more access than really needed for most tasks. This is referred to as “JEA” which stands for “Just Enough Access” and is also a core part of the Zero Trust framework . This can be for example “Exchange administrator” to perform Exchange-related tasks. “User administrator” for user management and password-reset, likely suitable for end-user support. A list of the built-in roles in Entra ID can be found here.

Combining PIM and RBAC in your tentant gives your delegated users both only the access they need, and only when they need it. This greatly reduces the risk for intruders to exploit your delegation of access to their benefit!

Implementation overview

Details of the implementation will come in a later post, but the short and easy version is that you assign the different roles to a user, or preferably a group, and set the requirements for the user to elevate into the role in question. MFA, auth. context etc..

The user who is assigned eligibility to a role, must first activate the role which lasts only for a limited time, before he/she can access the new privileges. (For example: To gain access to the Teams admin portal and be able to makes changes in there).

It is however crucial to remember that this approach can seem demanding on your admins in your organization, and in order to succeed with this setup, they all have to remain loyal to the design and the new routines which will involve they having to elevate their access each time. I know from my own experience that some people think this is very cumbersome, so plan this together as far as you can and try to get everyone to agree that this is your new routine for gaining administrator access in your tenant. Remember that end-users are unaffected by this, it applies only to admin-accounts.

Licensing requirements

RBAC has no license requirement and you are free to assign users to any delegated role as you please, but in order to use PIM you need Microsoft Entra ID P2 licences in your tenant.

In the next part I’ll go through how you set up and configure PIM in your tenant, so stay tuned.