learn.microsoft.com
Open in
urlscan Pro
2600:141b:7000:483::3544
Public Scan
Submitted URL: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-identity-management-configure
Effective URL: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure
Submission: On January 16 via manual from US — Scanned from US
Effective URL: https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure
Submission: On January 16 via manual from US — Scanned from US
Form analysis 3 forms found in the DOM
Name: site-header-search-form-mobile — GET /en-us/search/
<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form-mobile" data-bi-name="site-header-search-form-mobile" name="site-header-search-form-mobile" aria-label="Search" action="/en-us/search/">
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input-mobile"
data-test-id="site-header-search-autocomplete-input-mobile" class="autocomplete-input input
width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-1-listbox" aria-controls="ax-1-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-mobile-description"
placeholder="Search" data-bi-name="site-header-search-autocomplete-input-mobile" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-header-search-autocomplete-input-mobile-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-1-listbox" data-test-id="site-header-search-autocomplete-input-mobile-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>Name: site-header-search-form — GET /en-us/search/
<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form" data-bi-name="site-header-search-form" name="site-header-search-form" aria-label="Search" action="/en-us/search/">
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input" data-test-id="site-header-search-autocomplete-input" class="autocomplete-input input input-sm
width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-0-listbox" aria-controls="ax-0-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-description"
placeholder="Search" data-bi-name="site-header-search-autocomplete-input" pattern=".*">
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-header-search-autocomplete-input-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-0-listbox" data-test-id="site-header-search-autocomplete-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>javascript:
<form action="javascript:" role="search" aria-label="Search" class="margin-bottom-xxs"><label class="visually-hidden" for="ax-2">Search</label>
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-2" data-test-id="ax-2" class="autocomplete-input input input-sm
control has-icons-left
width-full" type="text" aria-expanded="false" aria-owns="ax-3-listbox" aria-controls="ax-3-listbox" aria-activedescendant="" aria-describedby="ms--ax-2-description" placeholder="Filter by title" pattern=".*">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-filter-settings"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--ax-2-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-3-listbox" data-test-id="ax-2-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
</form>Text Content
Skip to main content
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.
Download Microsoft Edge More info about Internet Explorer and Microsoft Edge
Learn
Suggestions will filter as you type
Sign in
* Profile
* Settings
Sign out
Learn
* Discover
* Documentation
In-depth articles on Microsoft developer tools and technologies
* Training
Personalized learning paths and courses
* Credentials
Globally recognized, industry-endorsed credentials
* Q&A
Technical questions and answers moderated by Microsoft
* Code Samples
Code sample library for Microsoft developer tools and technologies
* Assessments
Interactive, curated guidance and recommendations
* Shows
Thousands of hours of original programming from Microsoft experts
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Product documentation
* ASP.NET
* Azure
* Dynamics 365
* Microsoft 365
* Microsoft Copilot
* Microsoft Edge
* Microsoft Entra
* Microsoft Graph
* Microsoft Intune
* Microsoft Purview
* Microsoft Teams
* .NET
* Power Apps
* Power BI
* Power Platform
* PowerShell
* SQL
* Sysinternals
* Visual Studio
* Windows
* Windows Server
View all products
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Development languages
* C++
* C#
* DAX
* Java
* OData
* OpenAPI
* Power Query M
* VBA
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
* Topics
* Artificial intelligence
* Compliance
* DevOps
* Platform engineering
* Security
Microsoft Learn for Organizations
Boost your team's technical skills
Access curated resources to upskill your team and close skills gaps.
Suggestions will filter as you type
Sign in
* Profile
* Settings
Sign out
Microsoft Entra
* Microsoft Entra ID
* External ID
* Global Secure Access
* ID Governance
* Permissions Management
* Microsoft Security documentation
* Troubleshooting
* More
* Microsoft Entra ID
* External ID
* Global Secure Access
* ID Governance
* Permissions Management
* Microsoft Security documentation
* Troubleshooting
Admin center
Table of contents Exit focus mode
Search
Suggestions will filter as you type
* Privileged Identity Management documentation
* Overview
* What is Microsoft Entra PIM?
* Concepts
* How-to guides
* Deploy PIM
* Start using PIM
* Bring under management
* Assign
* Activate
* Approve
* Extend or renew
* Set role settings
* Set up alerts
* Audits
* Review access
* Discovery & Insights for Microsoft Entra roles
* Elevate access to manage Azure subscriptions
* Troubleshoot resource access denied
* Reference
Download PDF
1. Learn
2. Microsoft Entra
3. Microsoft Entra ID Governance
4. Privileged Identity Management
1. Learn
2. Microsoft Entra
3. Microsoft Entra ID Governance
4. Privileged Identity Management
Read in English Save
* Add to Collections
* Add to Plan
Table of contents Read in English Add to Collections Add to Plan Edit
--------------------------------------------------------------------------------
SHARE VIA
Facebook x.com LinkedIn Email
--------------------------------------------------------------------------------
Print
Table of contents
WHAT IS MICROSOFT ENTRA PRIVILEGED IDENTITY MANAGEMENT?
* Article
* 01/06/2025
* 23 contributors
Feedback
IN THIS ARTICLE
1. Reasons to use
2. License requirements
3. What does it do?
4. What can I do with it?
5. Who can do what?
6. Terminology
7. Role assignment overview
8. Scenarios
9. Microsoft Graph APIs
10. Next steps
Show 6 more
Privileged Identity Management (PIM) is a service in Microsoft Entra ID that
enables you to manage, control, and monitor access to important resources in
your organization. These resources include resources in Microsoft Entra ID,
Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft
Intune. The following video explains important PIM concepts and features.
REASONS TO USE
Organizations want to minimize the number of people who have access to secure
information or resources, because that reduces the chance of
* a malicious actor getting access
* an authorized user inadvertently impacting a sensitive resource
However, users still need to carry out privileged operations in Microsoft Entra
ID, Azure, Microsoft 365, or SaaS apps. Organizations can give users
just-in-time privileged access to Azure and Microsoft Entra resources and can
oversee what those users are doing with their privileged access.
LICENSE REQUIREMENTS
Using Privileged Identity Management requires licenses. For more information on
licensing, see Microsoft Entra ID Governance licensing fundamentals .
WHAT DOES IT DO?
Privileged Identity Management provides time-based and approval-based role
activation to mitigate the risks of excessive, unnecessary, or misused access
permissions on resources that you care about. Here are some of the key features
of Privileged Identity Management:
* Provide just-in-time privileged access to Microsoft Entra ID and Azure
resources
* Assign time-bound access to resources using start and end dates
* Require approval to activate privileged roles
* Enforce multifactor authentication to activate any role
* Use justification to understand why users activate
* Get notifications when privileged roles are activated
* Conduct access reviews to ensure users still need roles
* Download audit history for internal or external audit
* Prevents removal of the last active Global Administrator and Privileged Role
Administrator role assignments
WHAT CAN I DO WITH IT?
Once you set up Privileged Identity Management, you'll see Tasks, Manage, and
Activity options in the left navigation menu. As an administrator, you can
choose between options such as managing Microsoft Entra roles, managing Azure
resource roles, or PIM for Groups. When you choose what you want to manage, you
see the appropriate set of options for that option.
WHO CAN DO WHAT?
For Microsoft Entra roles in Privileged Identity Management, only a user who is
in the Privileged Role Administrator or Global Administrator role can manage
assignments for other administrators. Global Administrators, Security
Administrators, Global Readers, and Security Readers can also view assignments
to Microsoft Entra roles in Privileged Identity Management.
For Azure resource roles in Privileged Identity Management, only a subscription
administrator, a resource Owner, or a resource User Access Administrator can
manage assignments for other administrators. Users who are Privileged Role
Administrators, Security Administrators, or Security Readers don't by default
have access to view assignments to Azure resource roles in Privileged Identity
Management.
TERMINOLOGY
To better understand Privileged Identity Management and its documentation, you
should review the following terms.
Expand table
Term or concept Role assignment category Description eligible Type A role
assignment that requires a user to perform one or more actions to use the role.
If a user is eligible for a role, they can activate the role when they need to
perform privileged tasks. There's no difference in the access given to someone
with a permanent versus an eligible role assignment. The only difference is that
some people don't need that access all the time. active Type A role assignment
that doesn't require a user to perform any action to use the role. Users
assigned as active have the privileges assigned to the role. activate The
process of performing one or more actions to use a role that a user is eligible
for. Actions might include performing a multifactor authentication (MFA) check,
providing a business justification, or requesting approval from designated
approvers. assigned State A user that has an active role assignment. activated
State A user that has an eligible role assignment, performed the actions to
activate the role, and is now active. Once activated, the user can use the role
for a preconfigured period of time before they need to activate again. permanent
eligible Duration A role assignment where a user is always eligible to activate
the role. permanent active Duration A role assignment where a user can always
use the role without performing any actions. time-bound eligible Duration A role
assignment where a user is eligible to activate the role only within start and
end dates. time-bound active Duration A role assignment where a user can use the
role only within start and end dates. just-in-time (JIT) access A model in which
users receive temporary permissions to perform privileged tasks, which prevents
malicious or unauthorized users from gaining access after the permissions
expire. Access is granted only when users need it. principle of least privilege
access A recommended security practice in which every user is provided with only
the minimum privileges needed to accomplish the tasks they're authorized to
perform. This practice minimizes the number of Global Administrators and instead
uses specific administrator roles for certain scenarios.
ROLE ASSIGNMENT OVERVIEW
The PIM role assignments give you a secure way to grant access to resources in
your organization. This section describes the assignment process. It includes
assign roles to members, activate assignments, approve or deny requests, extend
and renew assignments.
PIM keeps you informed by sending you and other participants email
notifications. These emails might also include links to relevant tasks, such
activating, approve or deny a request.
The following screenshot shows an email message sent by PIM. The email informs
Patti that Alex updated a role assignment for Emily.
ASSIGN
The assignment process starts by assigning roles to members. To grant access to
a resource, the administrator assigns roles to users, groups, service
principals, or managed identities. The assignment includes the following data:
* The members or owners to assign the role.
* The scope of the assignment. The scope limits the assigned role to a
particular set of resources.
* The type of the assignment
* Eligible assignments require the member of the role to perform an action to
use the role. Actions might include activation, or requesting approval from
designated approvers.
* Active assignments don't require the member to perform any action to use
the role. Members assigned as active have the privileges assigned to the
role.
* The duration of the assignment, using start and end dates or permanent. For
eligible assignments, the members can activate or requesting approval during
the start and end dates. For active assignments, the members can use the
assigned role during this period of time.
The following screenshot shows how administrator assigns a role to members.
For more information, check out the following articles: Assign Microsoft Entra
roles, Assign Azure resource roles, and Assign eligibility for a PIM for Groups
ACTIVATE
If users are eligible for a role, then they must activate the role assignment
before using the role. To activate the role, users select specific activation
duration within the maximum (configured by administrators), and the reason for
the activation request.
The following screenshot shows how members activate their role to a limited
time.
If the role requires approval to activate, a notification appears in the upper
right corner of the user's browser informing them the request is pending
approval. If an approval isn't required, the member can start using the role.
For more information, check out the following articles: Activate Microsoft Entra
roles, Activate my Azure resource roles, and Activate my PIM for Groups roles
APPROVE OR DENY
Delegated approvers receive email notifications when a role request is pending
their approval. Approvers can view, approve, or deny these pending requests in
PIM. After the request is approved, the member can start using the role. For
example, if a user or a group was assigned with Contribution role to a resource
group, they are able to manage that particular resource group.
For more information, check out the following articles: Approve or deny requests
for Microsoft Entra roles, Approve or deny requests for Azure resource roles,
and Approve activation requests for PIM for Groups
EXTEND AND RENEW ASSIGNMENTS
After administrators set up time-bound owner or member assignments, the first
question you might ask is what happens if an assignment expires? In this new
version, we provide two options for this scenario:
* Extend – When a role assignment nears expiration, the user can use Privileged
Identity Management to request an extension for the role assignment
* Renew – When a role assignment expires, the user can use Privileged Identity
Management to request a renewal for the role assignment
Both user-initiated actions require an approval from a Global Administrator or
Privileged Role Administrator. Admins don't need to be in the business of
managing assignment expirations. You can just wait for the extension or renewal
requests to arrive for simple approval or denial.
For more information, check out the following articles: Extend or renew
Microsoft Entra role assignments, Extend or renew Azure resource role
assignments, and Extend or renew PIM for Groups assignments
SCENARIOS
Privileged Identity Management supports the following scenarios:
PRIVILEGED ROLE ADMINISTRATOR PERMISSIONS
* Enable approval for specific roles
* Specify approver users or groups to approve requests
* View request and approval history for all privileged roles
APPROVER PERMISSIONS
* View pending approvals (requests)
* Approve or reject requests for role elevation (single and bulk)
* Provide justification for my approval or rejection
ELIGIBLE ROLE USER PERMISSIONS
* Request activation of a role that requires approval
* View the status of your request to activate
* Complete your task in Microsoft Entra ID if activation was approved
MICROSOFT GRAPH APIS
You can use Privileged Identity Management programmatically through the
following Microsoft Graph APIs:
* PIM for Microsoft Entra roles APIs
* PIM for groups APIs
NEXT STEPS
* License requirements to use Privileged Identity Management
* Securing privileged access for hybrid and cloud deployments in Microsoft
Entra ID
* Deploy Privileged Identity Management
--------------------------------------------------------------------------------
FEEDBACK
Was this page helpful?
Yes No
Provide product feedback
--------------------------------------------------------------------------------
ADDITIONAL RESOURCES
--------------------------------------------------------------------------------
Training
Module
Examine Privileged Identity Management - Training
This module examines how Microsoft Entra Privileged Identity Management (PIM)
ensures users in your organization have just the right privileges to perform the
tasks they need to accomplish.
Certification
Microsoft Certified: Identity and Access Administrator Associate -
Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions,
implement hybrid solutions, and implement identity governance.
English (United States)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
* Light
* Dark
* High contrast
*
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2025
ADDITIONAL RESOURCES
--------------------------------------------------------------------------------
Training
Module
Examine Privileged Identity Management - Training
This module examines how Microsoft Entra Privileged Identity Management (PIM)
ensures users in your organization have just the right privileges to perform the
tasks they need to accomplish.
Certification
Microsoft Certified: Identity and Access Administrator Associate -
Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions,
implement hybrid solutions, and implement identity governance.
IN THIS ARTICLE
English (United States)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
* Light
* Dark
* High contrast
*
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2025