Forum Discussion

Fernando-Ribeiro's avatar
Fernando-Ribeiro
Copper Contributor
Feb 25, 2026

PIM

Hello, everyone.   I need some help. We already use PIM for Just-in-Time activation of administrative functions in Entra ID, but we would like something more granular. For example, we want certain ...
Lucaraheller's avatar
Lucaraheller
MCT
Feb 27, 2026

Fernando-Ribeiro​ 

Great question. What you are describing goes beyond what PIM alone can enforce.

Privileged Identity Management in Microsoft Entra ID is designed for just-in-time role activation. It can require approval before activation, enforce MFA, require justification, and limit activation time. However, once the role is activated, the user receives the full set of permissions associated with that role during the activation window.

PIM does not provide action-level approval. It cannot require a separate approval for specific administrative actions such as exporting mailboxes, running eDiscovery searches, accessing sensitive data, or performing critical configuration changes after the role is already active.

If you need more granular control, you have to combine PIM with other Microsoft 365 security and compliance capabilities.

One option is Conditional Access with Authentication Context in Microsoft Entra ID. You can define specific authentication contexts for sensitive resources (for example, SharePoint sites with confidential data or specific applications) and require step-up authentication such as strong MFA, compliant devices, or reauthentication. This does not introduce human approval per action, but it does allow you to enforce stronger controls for high-impact operations.

Another important component is Microsoft Purview. With Purview, you can separate roles such as eDiscovery Manager and eDiscovery Administrator, apply Data Loss Prevention policies, use sensitivity labels, and restrict who can export or access sensitive content. This gives you functional separation of duties and tighter control over sensitive operations.

Microsoft Defender for Cloud Apps can also help at the session level. It allows you to monitor and control user sessions in real time, block downloads, prevent exports, or apply policies when an admin accesses sensitive data. This is particularly useful for enforcing restrictions even when a role is active via PIM.

For Exchange Online specifically, Privileged Access Management (PAM) can provide approval-based workflows for certain administrative tasks. However, this is workload-specific and not a universal solution across all Microsoft 365 services.

In summary, there is currently no native, universal “approval per administrative action” mechanism across all Microsoft 365 workloads. To achieve a more granular and controlled model, you need a layered approach: PIM for just-in-time access, Conditional Access with authentication context for step-up enforcement, Purview for data-level governance and separation of duties, and optionally Defender for Cloud Apps for session-based control.

This combined approach aligns better with a Zero Trust model for privileged operations than relying on PIM alone.