Forum Discussion
Grant Just-in-Time Admin Access with Microsoft Entra PIM
In my lab, I worked with Microsoft Entra Privileged Identity Management (PIM) to grant Just-in-Time admin access. Instead of permanent assignments, users become eligible for roles and must activate them only when needed.
Steps I tested:
- Configured roles as eligible rather than permanent
- Required MFA and approval for role activation
- Verified access automatically expired after the time window
This approach reduces standing privileges and aligns with Zero Trust by securing privileged access.
Curious — does your org still keep permanent Global Admins, or have you moved to JIT with PIM?
1 Reply
Yes we have moved to PIM and there are separate security groups for approver and requestor for PIM requests. For Global admin we do have a BG account that is permanent/active assignment.
