Use PIM custom extensions to validate tickets, enforce HR policies, and automate approval decisions during role activation.
Privileged access often depends on business context that lives outside Privileged identity Management (PIM)—ticket validity, HR status, compliance checks, or on-call schedules. With custom extensions for Microsoft Entra Privileged Identity Management, organizations can bring that context directly into activation workflows.
We’re excited to announce the preview of custom extensions for Microsoft Entra Privileged Identity Management (PIM), a powerful new capability that lets you integrate your organization’s business logic directly into PIM role activation workflows.
The challenge
Many organizations need governance controls that go beyond what PIM offers natively. While PIM already supports MFA, justification, and approval workflows, organizations also often want to:
- Validate ticket numbers against an ITSM system
- Enforce HR-based access rules, such as employment status
- Integrate compliance or audit workflows before granting activation
- Apply dynamic approval logic based on the specific context of a request
Until now, these validations required manual processes outside of PIM, which can create gaps in enforcement and auditability.
Introducing PIM custom extensions
With custom extensions, PIM can now call your REST API during role activation. Your API evaluates the request against your business rules and returns a decision that PIM enforces automatically.
How it works:
- A user requests role activation in PIM.
- PIM sends a structured request payload to your custom extension API, including details like principalId, roleDefinitionId, justification, ticketInfo, and scheduleInfo.
- Your API applies your business logic and validates the ticket, checks HR status, or runs compliance checks.
- Your API returns a decision—Approved, AutoApproved, or Denied—along with a reason.
- PIM enforces the decision and logs the interaction for audit.
Supported scope
In this preview, custom extensions support:
- PIM for Groups
- PIM for Microsoft Entra roles
- PIM for Azure resources
The extension is invoked synchronously during the activation workflow (pre-approval stage), enabling real-time decisioning.
Audit and traceability
Every extension interaction is fully auditable. Each response includes an evaluationId, evaluationOutcome, and reason, giving you end-to-end traceability for compliance reviews and security investigations.
Get started
Setting up PIM custom extensions involves five steps:
- Create a new custom extension API — a REST API (HTTP POST) that implements your business logic.
- Secure the API with Microsoft Entra ID — register an app and implement token validation.
- Onboard the extension in PIM — use Microsoft Graph API to create the custom extension object.
- Link the extension to role settings — enable Require pre-approval custom extension in PIM role settings.
- Activate and validate — test the end-to-end flow by activating a role.
Example scenarios
|
Scenario |
Extension logic |
|
Ticket validation |
Verify that the ticket ID is valid and assigned to the requester
|
|
HR compliance gate |
Confirm that the requester meets the required criteria
|
|
Auto-approval for on-call |
Auto-approve activation for users who are currently on call
|
|
Deny after hours |
Deny activation outside approved maintenance windows
|
What's next
Microsoft Entra ID Governance helps you protect, monitor, and audit access to critical assets while ensuring employee productivity. It gives you the ability to ensure the right people have the right access to the right resources with the right controls—preventing identity attacks, enforcing least privilege access, and unifying access control across your environment.
We’re continuing to enhance custom extensions, and your feedback during this preview will shape the future of extensible governance in Microsoft Entra. We recommend enabling PIM custom extensions end-to-end and sharing your feedback here.
-Kaitlin Murphy
Senior Director, Product Marketing
Additional resources
- Configure custom extensions for PIM role activation (preview) - Microsoft Entra ID Governance | Microsoft Learn
- Microsoft Graph API reference for PIM
- PIM deployment plan
- Microsoft Entra blog
- Microsoft Entra documentation
- Microsoft Entra community discussions
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
- Microsoft Entra News and Insights | Microsoft Security Blog
- Microsoft Entra blog | Tech Community
- Microsoft Entra documentation | Microsoft Learn
- Microsoft Entra discussions | Microsoft Community