top of page
Search

Privileged Identity Management (PIM): Just-In-Time Access & Role Activation

Updated: Nov 29

Azure Privileged Identity Management logo.

In this blog:


This lab continues my Azure Identity & Access Management series.


After setting up Conditional Access in the previous lab, we now move into Privileged Identity Management (PIM) — one of the most powerful features unlocked with the Entra ID P2 license.


PIM allows organisations to:

  • Avoid standing admin access

  • Enforce Just-In-Time (JIT) role activation

  • Require MFA and justification before elevation

  • Monitor and audit all privileged activity


1️⃣ Prerequisites


Before starting:

  • You must be using the tenant with the active Entra ID P2 license

  • A Global Admin user (Alice)

  • Test users such as Bob

  • Conditional Access policies already covered in the previous blog

2️⃣ Enable PIM for Microsoft Entra Roles


Log in as Alice (Global Admin).

Entra ID → Identity Governance → Privileged Identity Management → Azure AD Roles

Select Enable PIM when prompted.

Azure's PIM dashboard.
Azure's PIM dashboard.

3️⃣ Assign a Role Through PIM

Step 1 — Select the Role

Go to:

PIM → Manage → Roles → Search “User Administrator”

Finding roles in PIM.
Finding roles in PIM.

Step 2 — Add Assignment

Click Add Assignment and configure:

  • Scope type: Directory

  • Assignment type: Eligible (not active — requires activation)

  • User: Bob

  • Start/End time: Optional (here used to demonstrate JIT concepts)


Now Bob is listed as Eligible for the User Administrator role.


Adding roles to users.
Adding roles to user.
Setting Bob's assignment configuration.
Setting Bob's assignment configuration.











4️⃣ Configure JIT Settings (Require MFA + Justification)


Inside PIM:

Roles → User Administrator → Settings → Edit


Configure:

  • Activation maximum duration: 1 hour

  • Require Azure MFA: ☑️

  • Require justification: ☑️

  • Leave notification settings default


This ensures the admin role is never standing — Bob must request access when needed.


Bob's JIT configuration.
Bob's JIT configuration.
Bob's JIT configuration.
Bob's role assignment.














5️⃣ Test Role Activation as Bob


Sign in as Bob → Portal →Entra ID → PIM → My roles


Bob will see:

“Eligible for: User Administrator”


Bobs PIM activation dashboard.
Bobs PIM activation dashboard.

When clicking Activate, the prompt will request:

  • A justification

  • Duration

  • (Normally) MFA


Why Bob may not get an MFA prompt:


In my lab, Azure did not prompt for MFA during activation, despite the setting being enabled. This is expected due to:

  1. Bob already performed MFA during login

  2. A Conditional Access policy already enforced MFA

  3. Token/session lifetime still valid


In a real environment, we could force a fresh MFA by:

  • Revoking sessions

  • Resetting MFA authentication methods


For this lab, the important part is that the role activation experience works.

Activating Bob's User Admin role.
Activating Bob's User Admin role.

📩 Admin notification

Alice receives an email alert that Bob activated the role.

Security notification on my phone.
Security notification on my phone.

6️⃣ Remove the Role Assignment (Testing Revocation)


Back on Alice’s account:

PIM → Entra Roles → Assignments

Locate Bob’s User Administrator assignment → Remove

Alice's role assignment dashboard.
Alice's role assignment dashboard.

Now check Bob’s portal again:

PIM → My Roles → No eligible roles available

Alice's role assignment dashboard.
No more eligible assignments in Bob's dashboard.

Revocation successful.

7️⃣ Cleaning Up the Tenant & Test Users


Before deleting your trial tenant, you must properly clean up your environment.


A. Delete Conditional Access Policies

If you leave these in place, your user deletions may fail.

Entra ID → Protection → Conditional Access

Delete the MFA policy created earlier.

Deleting Conditional Access Policies.
Deleting Conditional Access Policies.

B. Delete Test Users

Entra ID → Users → Select → Delete

Remove:

  • Alice

  • Bob

  • Charlie (From my other blog, not related to this one)

Deleting users in our tenant.
Deleting users in our tenant.

C. Delete the Trial Tenant (Avoid P2 Billing)

Go to:

Azure Portal → Entra ID Overview → Manage Tenants → Delete Tenant

Azure presents a pre-deletion checklist:

Tenant deletion checklist.
Tenant deletion checklist.

Requirements:

  1. Gain permissions to delete Azure resources

    Click “Grant” and approve.

Gaining permissions to delete Azure resources.
Gaining permissions to delete Azure resources.

  1. Delete all license-based subscriptions

    Go to Microsoft 365 Admin Center → Billing → Your Products:

    Find Entra ID P2

    Select Cancel subscription

Cancelling Entra P2 subscription.
Cancelling Entra P2 subscription.

⚠ Important Note

After cancellation, the subscription remains in a Disabled state for 72 hours. Only after Microsoft auto-purges it will the “Delete Tenant” button become active.


You will not be charged — the billing cycle is closed.


Final step

After waiting the 3-day purge:

Cost Management + Billing → Billing Scopes → Your Entra ID Subscription → Delete

Confirmation of Entra P2 subscription cancellation.
Confirmation of Entra P2 subscription cancellation.

🎉 Final Thoughts


This lab covered real-world identity security controls:

  • Removing standing admin access

  • Enforcing JIT elevation using PIM

  • MFA + justification for privileged tasks

  • Monitoring/notifications for admin actions

  • Correct cleanup and tenant deletion


These IAM topics are crucial for AZ-500, SOC analyst roles, and Identity Governance in enterprise environments.


Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
  • GitHub
  • Twitter
  • LinkedIn
bottom of page