Entra ID Privileged Identity Management is the highest-leverage control for moving Essential Eight Strategy 5 (restrict administrative privileges) from ML1 to ML2 or ML3. Just-in-time role activation. Approval workflows. Time-bound access. Complete audit of every privileged action.
It's also the control most often deployed in week one of a cyber uplift, rolled back in week two after the IT ops team can't do their jobs anymore. PIM is a change-management problem with a policy engine attached. Here's a rollout that sticks.
Prerequisite — service account hygiene first
Before PIM, every organisation needs a service-account audit. You'll find accounts that do automation work (legitimately) in admin roles that shouldn't have human-tier MFA policies applied. You'll find ex-employees' accounts in Global Admin 'as a backup'. You'll find shared credentials in roles that PIM will break.
Refactor first. Move automation to managed identities or workload identity federation. Remove shared credentials. Off-board accounts that belong to humans who left. Then PIM.
Start with Global Admin, then expand
PIM everything at once is unmanageable. Start with Global Administrator — make it eligible-only, 8-hour maximum activation, approval required, justification required. That single change moves the highest-risk role to JIT and gives your ops team a controlled environment to learn PIM ergonomics.
Expand in waves: Privileged Role Admin → Security Admin → Conditional Access Admin → Exchange, SharePoint, Teams admin → the long tail. Each wave one to two weeks apart. Each wave preceded by a 30-minute brief to the affected admin group.
Activation duration matches the task
The default 8-hour activation is too long for most changes. Most privileged actions complete in under an hour. Set the maximum activation duration per role — 1 hour for Exchange Admin, 4 hours for Global Admin, 1 hour for Security Admin.
Shorter durations train admins to activate for a specific task, not for the day. That's the behavioural shift PIM is trying to drive. A permanent 8-hour activation every morning is just a slower version of standing rights.
Approval for the high-blast-radius roles
Require approval on Global Admin, User Access Admin, Privileged Role Admin. Don't require approval on the day-to-day admin roles — that creates a bottleneck and trains people to pre-approve in bulk.
Approver pool: at least three people, ideally including one who is not in the IT ops team (the CISO, the CFO, a senior engineer). Approver pool of one is a single-point-of-failure and a PIM anti-pattern.
Access reviews every quarter
PIM has built-in access reviews. Schedule quarterly reviews on every eligible role assignment. The reviewer — usually the line manager or the CISO — must actively re-confirm that the person still needs the eligibility.
Quarterly reviews surface the accounts that accumulated eligibility five years ago and still have it. 20% of eligibilities typically fail the first review. That's not a failure — that's the review working as intended.
Integrate with your change process
The PIM justification field is the handoff point between PIM and your change management. Require the change ticket number in the justification string. The audit log now has both the PIM activation event and the change record it's authorising — a security team can cross-reference in one query.
Try it
See where PIM lifts your E8 score
Run the Essential Eight tool — PIM is the key control for moving Strategy 5 (restrict admin) to ML2 and ML3.
Score each of the 8 strategies
Where are you on the Essential Eight — honestly?
Eight strategies. Four levels each. Pick the statement closest to your reality today. We'll map it to the Microsoft 365 tooling that closes the gap.
What's your target Maturity Level?
Maturity Level 2 — most orgs' pragmatic target
- 01
Application control
Only approved applications can execute on workstations and servers.
- 02
Patch applications
Internet-facing apps, browsers, Office, PDF readers patched promptly.
- 03
Microsoft Office macros
Macros disabled unless from trusted locations and signed by a trusted publisher.
- 04
User application hardening
Web browsers and productivity apps hardened against the most common attacks.
- 05
Restrict administrative privileges
Admin accounts limited, separated and reviewed — the crown jewels of the tenant.
- 06
Patch operating systems
Operating system patches applied on a schedule that matches the risk.
- 07
Multi-factor authentication
MFA everywhere that matters — privileged accounts, remote access, important data.
- 08
Regular backups
Backups of important data, configuration and software — and restores you have actually tested.
The common objections, and how to answer them
- "It'll slow us down." Activation takes 30 seconds. If the ops team's day is made or broken by 30 seconds three times a day, the problem isn't PIM.
- "We'll miss the approval in a real incident." That's what break-glass is for. Every tenant needs a break-glass Global Admin, outside PIM. One account. Documented. Monitored.
- "We can't afford the Entra ID P2 licence." The licence cost of P2 against the incident cost of a compromised Global Admin is not a fair comparison. ML2 of the Essential Eight effectively requires P2 or equivalent.
- "We already have MFA on admins, isn't that enough?" MFA stops credential theft. PIM stops standing-rights sprawl, which is a different failure mode. Different tools, different controls, both needed.
If you're about to roll out PIM, or your rollout stalled and you want to restart it cleanly, book a cyber review. We'll walk the role design, the activation durations, the approvers and the access-review cadence — and give you a sequence that survives the first six weeks.