Entra ID: privileged roles and Privileged Identity Management (PIM)
A permanent Entra ID global administrator is one of the most valuable targets for an attacker: compromising that account opens the door to the entire tenant. Privileged Identity Management (PIM) exists to eliminate exactly that risk, turning privileged roles from permanent into temporary and activated on demand — but only if configured correctly.
Why permanent privileged roles are a critical risk
When a user is assigned a privileged role — global administrator, Exchange administrator, security administrator — permanently ("active" rather than "eligible"), that privilege is available 24 hours a day, whether used or not. If that account is compromised via phishing, token theft or credential reuse, the attacker automatically inherits the full privilege, with no additional step to delay or flag the abuse. A tenant's attack surface is, to a large extent, the number of permanent role assignments it has.
How just-in-time access works with PIM
PIM turns role assignments into "eligible" rather than "active": the user doesn't have the privilege by default, but the ability to activate it temporarily when needed, for a limited time window (e.g. one or two hours) and, optionally, after justifying the reason, requiring approval from a second administrator or an additional MFA step. Once that time elapses, the privilege is automatically revoked with no manual intervention. The result is that an attacker who compromises the account finds, most of the time, a user with no active elevated privileges.
Common mistakes when implementing PIM
The most common failures are: enabling PIM but leaving permanent "active" assignments in parallel to "not complicate" certain administrators' daily work, defeating the protection; not requiring approval or additional MFA on activation of critical roles like global administrator; not periodically reviewing who has "eligible" assignments (which, even if not active, remain a potential escalation path if that identity is compromised); and not configuring alerts when a privileged role is activated outside normal hours.
Access reviews and privileged role auditing
PIM includes periodic access reviews that force a responsible party to explicitly confirm each role assignment is still needed, instead of assuming it is indefinitely. An Entra ID audit should verify: the total number of global administrators (a reasonable target is 2-4, never dozens), what proportion of privileged roles use PIM versus permanent assignment, whether activations are logged and alerted, and whether properly isolated and monitored "break glass" emergency accounts exist outside the normal PIM flow.
FAQ
Is PIM included in all Microsoft 365 licenses?
No. PIM requires Entra ID P2 licenses (included in Microsoft 365 E5 or as an add-on). It's an investment that's easily justified against the cost of a global administrator compromise, but license coverage should be verified before planning the rollout.
How many global administrators should my organization have?
Microsoft recommends between 2 and 4, never fewer than 2 (to avoid lockout if one loses access) or many more than 4. Any double-digit figure is a sign that roles were assigned for convenience rather than actual need, and should be reviewed.