PIM Access in Microsoft Entra

PIM Access

To set a Global Admin PIM access (This will allow users to have global admin permissions, but they will have to go through an approval process to get the permissions on their account)

Create Security Group to add users to

• Example “Global Admins”

Go to Entra Admin center -> Identity Governance -> Privileged Identity Management -> Roles

Search for the role you want to assign

• In this example its Global Admin

Select the admin role

• On this screen you have 3 tabs, Eligible, Active, and Expired

• Eligible will make them go through an approval process

• Active will always be active on that account.

For this one we are using Eligible click on + Add Assignments

Use the “Select Member(s)” Section and search for the group created in above steps, check the box next to it and press the Select Button.

Select Next

Review settings

Confirm assignment type is Eligible

Check Permanently Eligible or set an expiration date for a temporary purpose.

Select Assign

How to Activate

The User will navigate to the Entra Admin Center Home - Microsoft Entra admin center

Go to Identity Governance -> Privileged Identity Management -> My Roles

Find the role you want to activate and press Activate under the Action Column

You will then begin the activation Process

Select how much time you want it to be active, max is 8 hours.

Input the Reason for activation – Include Ticket Number -> Select Activate

Once it goes through the activation process you will have that admin role on your account for the duration of the time set. After time expires the role will expire and you will need to re-activate to use it again.