What PIM does
PIM lets you make admin roles eligible rather than permanently assigned. A user with eligible Global Administrator activates the role through a workflow — providing a justification, optionally getting approval, completing MFA — and the assignment lasts a defined time window (typically 1–8 hours). When the window expires, the role unassigns automatically. This satisfies the Essential Eight expectation that admin privileges are restricted and reviewed.
Why every AU tenant should run it
Permanent Global Administrator assignments are the most exploited control failure in Microsoft 365 tenants. PIM eliminates the standing privilege without removing the ability to act. For Essential Eight ML2 it's expected; for APRA CPS 234 it's the documented control for paragraph 17; for Privacy Act reasonable-steps it's part of the modern baseline.