Forum Discussion
PAL with PIM
I FINALLY heard back from the team on this one. I am not familiar with this content, but I hope it makes sense to you?
-------------------------------------------
If PIM isn’t active and the account is JIT-only, what’s the operational guidance for enabling PAL?
- PAL relies on active permissions, because it must identify partner-associated permissions on the customer tenant.
- JIT removes standing permissions, which creates a conflict unless PIM or another mechanism reactivates temporary privileged roles long enough for PAL to validate associations.
This is why customers on strict JIT/PIM-disabled models often cannot maintain PAL associations — and Microsoft does not currently offer an alternate mechanism
Community ManagerI FINALLY heard back from the team on this one. I am not familiar with this content, but I hope it makes sense to you?
-------------------------------------------
If PIM isn’t active and the account is JIT-only, what’s the operational guidance for enabling PAL?
- PAL relies on active permissions, because it must identify partner-associated permissions on the customer tenant.
- JIT removes standing permissions, which creates a conflict unless PIM or another mechanism reactivates temporary privileged roles long enough for PAL to validate associations.
This is why customers on strict JIT/PIM-disabled models often cannot maintain PAL associations — and Microsoft does not currently offer an alternate mechanism
Thanks Jill, unfortunately this is the same information I had, that PAL is not compatible and/or does not follows Microsoft security best practices, requiring a permanent permission that currently companies are removing.
- JillArmourMicrosoft
Oh, well that's helpful then. 🙃 That is what the team shared back to me in response. I'm afraid I don't have any other strings to pull.