What PIM does
Privileged Identity Management (PIM) is the Entra ID P2 feature that lets you assign an admin role as 'eligible' rather than 'active'. An eligible admin is a normal user until they go to the Entra portal, click Activate, optionally provide a business justification and MFA challenge, and elevate for a bounded window (1–8 hours, sometimes longer with approval). After the window expires, they drop back to a standard user. PIM also covers Azure RBAC roles, and via PIM for Groups can wrap any privileged group membership in the same just-in-time pattern.
Why PIM matters for Essential Eight and APRA
Essential Eight Strategy 6 — Restrict administrative privileges — is one of the strategies most AU mid-market tenants score lowest on, because standing admin accounts are everywhere (Global Admins, Exchange Admins, Intune Admins, Application Admins, Privileged Role Admins). PIM is how Microsoft 365 actually delivers least-privilege admin: standing assignments are eligible-only, breakglass accounts are the only active standing admins, and every elevation is logged with justification. The same pattern satisfies APRA CPS 234 Section 26 (limit administrative access) and aligns to ASD ISM controls on privileged account separation.
Eligible vs active vs permanent
PIM distinguishes three assignment types. Permanent active is the legacy default — the user is always in the role, no activation needed. Permanent eligible means the user can self-activate the role at any time without an expiry. Time-bound eligible is the strongest pattern — the user can activate up to a hard end date (typically reviewed every 90 days under access reviews). Frontrow's default PIM design for AU mid-market is: two break-glass Global Admins as permanent active, every other role as time-bound eligible with 8-hour activation, approval-required on Global Admin and Privileged Role Admin, MFA + justification on every activation.
Licensing — the P2 catch
PIM requires Entra ID P2, which sits inside Microsoft 365 E5 or as the standalone Entra ID P2 add-on (typically AUD $10–15 per user per month). PIM only needs to be licensed for the users who elevate — not every user in the tenant. For a 200-seat AU tenant with 15 IT admins, that's 15 P2 licences, not 200. The activation log and approval workflows themselves are free; the gate is just whether the elevating user holds a P2 licence.