Just-in-Time Admin Access with Entra ID PIM

Standing administrator access is one of those risks that looks fine on a quiet day and catastrophic on a bad one. If an account is a permanent Global Administrator, then every phishing email, every reused password, and every stolen token aimed at it is aimed at the keys to the tenant. Entra ID PIM just-in-time access flips that model: roles sit dormant as eligible assignments and are activated only when needed, for a bounded window, with an audit trail. This post covers setting it up and the decisions that actually matter.

Key Takeaways

• Entra ID PIM just-in-time access makes privileged roles eligible rather than permanently active, so an admin holds elevated rights only during a time-boxed activation.
• Privileged Identity Management requires Entra ID P2, which is included in EMS E5 and Microsoft 365 E5.
• Role activation can require multifactor authentication, a justification, and optional approval, which turns standing privilege into an auditable, on-demand event.
• Break-glass emergency access accounts should stay as permanent active assignments and be deliberately excluded from PIM, so a misconfiguration cannot lock you out.
• PIM pairs with access reviews to recertify who is even eligible, which stops eligible-role sprawl from quietly rebuilding the problem you set out to solve.

Environment

• Entra ID P2 licensing (standalone, or via EMS E5 / Microsoft 365 E5) for the administrators you enroll.
• The Privileged Role Administrator or Global Administrator role to configure PIM settings.
• Entra multifactor authentication configured, since activation should require it.
• A small set of defined break-glass accounts that are excluded from Conditional Access and PIM.

The Problem

In a lot of tenants, the list of permanent administrators grew organically. Someone needed Exchange Administrator for a project two years ago and still has it. A consultant was made Global Administrator "temporarily". The result is a pile of accounts holding privileges they use a few times a year but carry every single day. From an attacker's point of view, that is a large, always-on target surface — and it is exactly the kind of account that password spray and token theft go after, which I covered from the detection side in Entra ID password spray detection with sign-in logs.

The principle here is least privilege over time, not just least privilege in scope. It is not enough to give someone the narrowest role that does the job; they should also only hold it while they are doing the job. PIM is Microsoft's implementation of that idea, and it is one of the more genuinely useful things gated behind the P2 tier.

The Solution

Step 1 — Inventory current role assignments before changing anything

Open Identity Governance → Privileged Identity Management in the Microsoft Entra admin center, then look at Microsoft Entra roles → Assignments. This is your before picture: every account holding every directory role, permanent or otherwise. Pay particular attention to Global Administrator. Microsoft's own guidance is to keep that role to a small number of accounts, and most tenants discover they have more than they thought.

Do not start converting assignments until you understand who genuinely needs what. Write the inventory down. You are about to change how these people get their access, and a surprise lockout for a real administrator is a bad way to learn that an assignment mattered.

Step 2 — Convert permanent assignments to eligible

The core move in PIM is changing an assignment from active (the role is always on) to eligible (the role can be activated when needed). Under Microsoft Entra roles → Assignments → Add assignments, assign the role and choose Eligible rather than Active. You can also set the assignment itself to be time-bound, so eligibility expires on a date instead of lasting forever.

Work through the roles in order of blast radius. Global Administrator, Privileged Role Administrator, Security Administrator, Exchange and SharePoint Administrator — the high-impact roles are where just-in-time pays off most. Lower-impact roles can follow once the process is proven. Remove the old permanent active assignment only after the eligible one is in place and tested.

Step 3 — Configure the activation settings per role

Each role has its own activation policy under Microsoft Entra roles → Settings. This is where just-in-time stops being a toggle and becomes a real control:

• Maximum activation duration — how long the role stays active once activated. Keep it short; a few hours is usually plenty, and the role deactivates automatically afterward.
• Require multifactor authentication on activation — non-negotiable for privileged roles. The whole point is undermined if the role can be activated from a stolen session with no fresh proof.
• Require justification and, for the highest roles, require approval — a named approver has to sign off before activation. For Global Administrator this is worth the friction.
• Notifications — send an alert when a privileged role is activated, so activations are visible to the security team in real time, not just in a log nobody reads.

The full set of role settings is documented in Microsoft's PIM role settings reference. Tune them per role rather than applying one policy everywhere; the bar for Global Administrator should be higher than for, say, Message Center Reader.

Step 4 — Activate a role as an administrator

From the user's side, activation is straightforward: in Privileged Identity Management → My roles → Microsoft Entra roles, pick the eligible role, select Activate, complete MFA, enter a justification, and set the duration within the maximum. If approval is required, the request waits for an approver. When the window expires, the role drops automatically — there is nothing to remember to turn off.

This is the day-to-day experience your administrators will actually live with, so walk through it with them before enforcing it widely. The friction is real but small, and it is the friction that makes the standing-privilege problem go away.

Step 5 — Keep break-glass accounts out of PIM

PIM depends on services being reachable and policies being correct. If both of those fail at the same time — an outage, a misconfiguration, a bad Conditional Access change — you still need a way in. That is what break-glass emergency access accounts are for, and they must stay as permanent active Global Administrators, excluded from PIM and from the Conditional Access policies that could block everyone else. Monitor their sign-ins closely, because for these accounts any sign-in at all is an event worth investigating. This is the same exclusion discipline I called out in essential Conditional Access policies for Microsoft 365.

Frequently Asked Questions

Does Entra ID PIM require a P2 license?

Yes. Privileged Identity Management is an Entra ID P2 feature, available standalone or through EMS E5 and Microsoft 365 E5. The administrators you make eligible need to be covered by that licensing. There is no P1 or free-tier equivalent of just-in-time activation.

What is the difference between an eligible and an active assignment?

An active assignment means the role is always on — the account holds those permissions continuously. An eligible assignment means the account can activate the role when needed, for a bounded time, after meeting the activation requirements. Just-in-time access is the eligible model.

Can role activation require approval from someone else?

Yes. Per-role settings can require a designated approver to authorize each activation before the role becomes active. This is most valuable for the highest-impact roles such as Global Administrator, where a second pair of eyes on every elevation is worth the delay.

What happens to break-glass accounts under PIM?

They should be excluded. Break-glass accounts stay as permanent active Global Administrators so they work even when PIM, MFA, or Conditional Access is unavailable. Their sign-ins should be tightly monitored, since a legitimate use is rare and a malicious one is an emergency.

Does PIM cover Azure resource roles and groups too?

Yes. Beyond directory roles, PIM can manage just-in-time activation for Azure resource roles and for membership of privileged access groups. The same eligible-versus-active model and activation controls apply, which lets you extend just-in-time access beyond Entra roles alone.

Conclusion

PIM does not make your administrators less powerful; it makes their power intermittent and accountable. Most of the time, the high-impact roles in your tenant sit dormant as eligible assignments, presenting nothing for an attacker to steal. When an admin needs the role, they activate it, prove who they are, and the clock starts ticking toward automatic deactivation.

The setup is more involved than flipping a switch — you have to inventory assignments, convert them carefully, and tune activation policies per role — and it does add a small amount of daily friction. But standing administrator access is one of the largest avoidable risks in a Microsoft 365 tenant, and just-in-time activation is the most direct way to shrink it. Pair it with periodic access reviews so eligibility itself stays honest, and the result holds up over time.

Related Posts

• Essential Conditional Access Policies for Microsoft 365 — the access policies PIM activations are evaluated against.
• Entra ID Password Spray Detection with Sign-In Logs — detecting attacks against the privileged accounts PIM protects.
• Migrating AzureAD and MSOnline PowerShell to Microsoft Graph — the supported modules for scripting Entra role management.

Editorial note: posts on this blog are drafted with AI assistance and then reviewed, edited, and tested against a real environment before publishing. Commands, output, and screenshots come from systems I actually ran the work on.