Blog Post

Microsoft Entra Blog
3 MIN READ

Bring business logic into PIM role activation workflows

Kaitlin_Murphy's avatar
Jul 01, 2026

Use PIM custom extensions to validate tickets, enforce HR policies, and automate approval decisions during role activation.

Privileged access often depends on business context that lives outside Privileged identity Management (PIM)—ticket validity, HR status, compliance checks, or on-call schedules. With custom extensions for Microsoft Entra Privileged Identity Management, organizations can bring that context directly into activation workflows.

We’re excited to announce the preview of custom extensions for Microsoft Entra Privileged Identity Management (PIM), a powerful new capability that lets you integrate your organization’s business logic directly into PIM role activation workflows.

The challenge

Many organizations need governance controls that go beyond what PIM offers natively. While PIM already supports MFA, justification, and approval workflows, organizations also often want to:

  • Validate ticket numbers against an ITSM system
  • Enforce HR-based access rules, such as employment status
  • Integrate compliance or audit workflows before granting activation
  • Apply dynamic approval logic based on the specific context of a request

Until now, these validations required manual processes outside of PIM, which can create gaps in enforcement and auditability.

Introducing PIM custom extensions

With custom extensions, PIM can now call your REST API during role activation. Your API evaluates the request against your business rules and returns a decision that PIM enforces automatically.

How it works:

  1. A user requests role activation in PIM.
  2. PIM sends a structured request payload to your custom extension API, including details like principalId, roleDefinitionId, justification, ticketInfo, and scheduleInfo.
  3. Your API applies your business logic and validates the ticket, checks HR status, or runs compliance checks.
  4. Your API returns a decision—Approved, AutoApproved, or Denied—along with a reason.
  5. PIM enforces the decision and logs the interaction for audit.

Supported scope

In this preview, custom extensions support:

  • PIM for Groups
  • PIM for Microsoft Entra roles
  • PIM for Azure resources

The extension is invoked synchronously during the activation workflow (pre-approval stage), enabling real-time decisioning.

Audit and traceability

Every extension interaction is fully auditable. Each response includes an evaluationId, evaluationOutcome, and reason, giving you end-to-end traceability for compliance reviews and security investigations.

Get started

Setting up PIM custom extensions involves five steps:

  • Create a new custom extension API — a REST API (HTTP POST) that implements your business logic.
  • Secure the API with Microsoft Entra ID — register an app and implement token validation.
  • Onboard the extension in PIM — use Microsoft Graph API to create the custom extension object.
  • Link the extension to role settings — enable Require pre-approval custom extension in PIM role settings.
  • Activate and validate — test the end-to-end flow by activating a role.

Example scenarios

Scenario

Extension logic

Ticket validation

 

Verify that the ticket ID is valid and assigned to the requester

 

HR compliance gate

 

Confirm that the requester meets the required criteria

 

Auto-approval for on-call

 

Auto-approve activation for users who are currently on call

 

Deny after hours

 

Deny activation outside approved maintenance windows

 

What's next

Microsoft Entra ID Governance helps you protect, monitor, and audit access to critical assets while ensuring employee productivity. It gives you the ability to ensure the right people have the right access to the right resources with the right controls—preventing identity attacks, enforcing least privilege access, and unifying access control across your environment.

We’re continuing to enhance custom extensions, and your feedback during this preview will shape the future of extensible governance in Microsoft Entra. We recommend enabling PIM custom extensions end-to-end and sharing your feedback here.

-Kaitlin Murphy

Senior Director, Product Marketing

Kaitlin Murphy | LinkedIn

 

Additional resources

 

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

 

 

 

 

 

 

 

 

 

Updated Jun 30, 2026
Version 1.0