How to Re-Register MFA
Working closely with nonprofits every day, I often come across a common challenge faced by MFA users. Recently, I worked with a nonprofit leader who faced an issue after getting a new phone. She was unable to authenticate into her Microsoft 365 environment because her MFA setup was tied to her old device. This experience highlighted how important it is to have a process in place for MFA re-registration. Without it, even routine changes like upgrading a phone can disrupt access to your everyday tools and technologies, delaying important work such as submitting a grant proposal. Why MFA is Essential for Nonprofits Before we discuss how to reset MFA, let’s take a step back and discuss why MFA is a necessity for nonprofits the way it is important for any organization. In the nonprofit world, protecting sensitive or confidential data—like donor information, financial records, and program details—is a top priority. One of the best ways to step up your security game is by using Multi-Factor Authentication (MFA). MFA adds an extra layer of protection on top of passwords by requiring something you have (like a mobile app or text message) or something you are (like a fingerprint). This makes it a lot harder for cybercriminals to get unauthorized access. If your nonprofit uses Azure Active Directory (AAD), or Microsoft Entra (as it is now called), with Microsoft 365, MFA can make a big difference in keeping your work safe. Since Microsoft Entra is built to work together with other Microsoft tools, it’s easy to set up and enforce secure sign-in methods across your whole organization. To make sure this added protection stays effective, it’s a good idea to occasionally ask users to update how they verify their identity. What Does MFA Re-Registration Mean for Nonprofits? MFA re-registration is just a fancy way of saying users need to update or reset how they authenticate, or verify, themselves. This might mean setting up MFA on a new phone (like the woman in the scenario above), adding an extra security option (like a hardware token), or simply confirming their existing setup. It’s all about making sure the methods and devices your users rely on for MFA are secure and under their control. When and Why Should Nonprofits Require MFA Re-Registration? Outside of getting a new phone, there may be other situations that raise cause for reason to re-register your MFA. A few scenarios include: Lost or Stolen Devices: Similar to the scenario above, if someone loses their phone or it gets stolen, you will have to re-register the new device. Role Changes: If someone’s responsibilities change, their MFA setup can be adjusted to match their new access needs. Security Enhancements: Organizations may require users to re-register for MFA to adopt more secure authentication methods, such as moving from SMS-based MFA to an app-based MFA like Microsoft Authenticator Policy Updates: When an organization updates its security policies, it might require all users to re-register for MFA to comply with new standards Account Compromise: If there is a suspicion that an account has been compromised, re-registering for MFA can help secure the account by ensuring that only the legitimate user has access With Microsoft Entra, managing MFA re-registration is straightforward and can be done with an administrator to the organization’s tenant. How to require re-registration of MFA To reset or require re-registration of MFA in Microsoft Entra, please follow the steps below. Navigate to portal.azure.com with your nonprofit admin account. Select Microsoft Entra ID Select the drop-down for Manage In the left-hand menu bar select Users > Select the user's name that you want to reregister to MFA (not shown). Once in their profile, select Manage MFA authentication methods Select Require re-register multifactor authentication Congratulations! The user will now be required to re-register the account in the Microsoft Authentication app.
Know Your Risk: Using Microsoft Purview to Protect Sensitive Data
In today’s digital-first world, data is everywhere—and so are the risks. From donor records to financial reports, sensitive information flows across emails, documents, and cloud platforms. In keeping with the Cybersecurity Awareness Month theme, this is the perfect time to ask: Do you know where your sensitive data lives—and how well it’s protected? Enter Microsoft Purview, a unified data governance and compliance solution designed to help organizations discover, classify, and safeguard sensitive information across Microsoft 365 and beyond. Why Knowing Your Risk Matters Data breaches don’t just cost money—they erode trust. Whether you're a nonprofit, healthcare provider, or public sector agency, protecting sensitive data is essential to maintaining credibility and fulfilling your mission. But you can’t protect what you can’t see. That’s where Microsoft Purview comes in. What Microsoft Purview Can Do for You Discover Sensitive Data Automatically: Purview uses built-in AI and machine learning to scan your environment—emails, SharePoint, OneDrive, Teams, and more—to identify sensitive content like PII, financial data, and health records. Classify and Label Content Intelligently: With sensitivity labels and data classification policies, Purview helps you tag and track sensitive data based on its risk level and regulatory requirements. Prevent Data Loss Before It Happens: Data Loss Prevention (DLP) policies allow you to block or warn users before sensitive data is shared externally or stored in risky locations. Monitor Insider Risk and Compliance: Purview’s Insider Risk Management and Compliance Manager tools help you detect risky behavior, enforce policies, and stay audit-ready. Extend Protection Beyond Microsoft 365: Purview integrates with third-party apps and on-premises data sources, giving you a holistic view of your data landscape. Real-World Impact A global nonprofit recently used Microsoft Purview to scan thousands of documents and emails for donor information. Within days, they identified exposure risks, applied sensitivity labels, and implemented DLP policies—reducing their compliance risk by over 40%. Getting Started with Microsoft Purview 1. Set Up Your Purview Account Sign in at portal.azure.com, search for “Microsoft Purview accounts,” and click Create to begin setting up a new Purview account. Click Create to start a new Purview account. Choose your subscription, resource group, region and account name. Click Review + Create, then Create Click on Go to resource once your deployment is complete to go to the Purview account’s overview page. From there, click “Open Microsoft Purview Governance Portal” and choose either the New or Classic experience, depending on your preferred interface, to launch Purview Studio. 2. Connect and Scan Data Sources Once inside Purview Studio, navigate to the left-hand menu and select “Data Map” to open the Data Sources page. Click “Register” to add a new data source Choose from supported sources such as Azure Data Lake, SQL databases, SharePoint, Amazon S3 and more. 3. Define Governance Policies Once your data sources are connected and scanned, it's time to establish governance policies to protect and manage your sensitive information. You Can: Use sensitivity labels to classify and protect data across Microsoft 365 - Create and publish sensitivity labels | Microsoft Learn Manage access using role-based permissions in Purview’s governance portal - Access control in the classic Microsoft Purview governance portal | Microsoft Learn Create DLP policies to monitor and prevent the sharing of sensitive data - Learn about data loss prevention | Microsoft Learn Detect and respond to risky user behavior with built-in analytics and privacy controls - Learn about Insider Risk Management | Microsoft Learn Manage metadata, lineage, and governance domains across your data estate - Learn about Microsoft Purview Unified Catalog | Microsoft Learn Track regulatory requirements, assess risk, and manage improvement actions- Get started with Microsoft Purview Compliance Manager | Microsoft Learn Conclusion Cybersecurity Awareness Month is more than a reminder—it's a call to action. In a world where data moves faster than ever, visibility and control are no longer luxuries—they're necessities. Microsoft Purview empowers organizations to take charge of their data, uncover hidden risks, and build a culture of trust and resilience. Whether you're just starting your governance journey or looking to strengthen existing policies, Purview offers the tools to discover, classify, and protect sensitive information across your entire digital estate. From automated scans to intelligent labeling and real-time risk management, it's your partner in proactive data defense. This month, make cybersecurity more than a priority—make it a practice. Start with Purview. Stay secure. Lead with confidence.Video Tutorial: How to Migrate Your WordPress Site to Azure for Nonprofits
Before you migrate your WordPress site, ensure you have deployed a WordPress site on Azure. If you're unfamiliar with this process, scroll down to the reference section at the bottom of this blog. There is an article that will guide you through creating a WordPress site in Azure, complete with a helpful video. Why Azure for Nonprofits? Azure offers various benefits for nonprofits, including cost savings, scalability, and robust security features. Migrating your WordPress site to Azure can help you leverage these advantages to better serve your community. Step-by-Step Guide Access the WordPress Admin Portal: Go to your personal WordPress site and navigate to the admin portal by adding /wp-admin to your site's URL. Install the WP Migration Plugin: Select Plugins > Add New. Search for "WP Migration" and press enter. Install and activate the "All-in-One WP Migration and Backup" plugin. Export Your Website: Click on the plugin itself where it says "All-in-One WP Migration". Select Export > Export Site to File. Download the exported file. Access the WordPress Site on Azure: Navigate to the admin portal of your WordPress site on Azure by adding /wp-admin to your site's URL. Install the WP Migration Plugin on Azure: Select Plugins > Add New. Search for "WP Migration". Install and activate the plugin. Import Your Website: Click on the plugin and select Import. Choose Import from File and select the file you downloaded earlier. Handling File Size Limits If you encounter a file size limit error (WordPress has a 50 MB limit), you can either purchase the unlimited extension or manually increase the limit: Access Azure Portal: Go to your Azure portal and type in "App Services". Select your app service. Use SSH to Modify File Size Limits: Scroll down to Deployment Tools and click on SSH. Click on Go to access the backend of the app service. Create a file in the home site wwwroot directory named .user.ini. Edit the File: Use the command nano /home/site/wwwroot/.user.ini. Add the following lines to increase the upload and post max size: upload_max_filesize = 1G post_max_size = 1G Save the file by pressing Ctrl + X, then Y, and Enter. Verify and Import: Refresh your WordPress site on Azure. Import the file again, and it should bypass the previous limit. Final Steps Once the migration is complete, you may want to delete the .user.ini file you created earlier. Use the command: rm /home/site/wwwroot/.user.ini References techcommunity.microsoft.com/blog/nonprofittechies/deploying-a-wordpress-site-on-microsoft-azure-a-guide-for-non-profits-with-video/4415254?previewMessage=true Resolving Host Restrictions on File Sizes Exceeding 50 MB in WordPress on Azure for Nonprofits | Microsoft Community HubDeploying a Web App on Azure App Service
At the heart of this post is Kairos IMS, an innovative Impact Management System designed to empower human-serving nonprofits and social impact organizations. Co-developed by the Urban League of Broward County and our trusted technology partner, Impactful, Kairos IMS reduces administrative burdens, enhances holistic care, and enables organizations to leverage data for increased agility and seamless service delivery. In this blog series, we’ll take a closer look at the powerful technologies that fuel Kairos IMS, from Azure services to security frameworks, offering insight into how modern infrastructure supports mission-driven impact. Click here to learn more. Azure App Service is a powerful platform for building, deploying, and scaling web apps. It supports multiple languages and frameworks, making it a versatile choice for developers. In this guide, we'll walk you through the process of deploying a web app on Azure App Service. Step 1: Prerequisites Before you start, ensure you have the following: An Azure account with an active subscription. If you don't have one, you can create a free account. Your web app code ready for deployment. Visual Studio or any other development environment you prefer. Step 2: Create an App Service Log in to the Azure Portal: Go to portal.azure.com and sign in with your Azure account Create a Resource: Click on "Create a resource" and select "Web App." Creating Your Web App: Subscription: Choose your subscription. Resource Group: Select an existing resource group or create a new one. App Name: Enter a unique name for your app. Publish: Choose "Code" if you're deploying code directly, or "Docker Container" if you're using a container. Runtime Stack: Select the runtime stack that matches your web app (e.g., .NET, Node.js, Python). Region: Choose the region closest to your users. Pricing Plans: When creating your Web App, Azure will also ask you to create or select an App Service Plan, which defines the pricing tier and performance level for your app. Finish the steps and click "Review + create." 4. Completing Deployment: You will see a message letting you know your deployment is complete. Step 3: Deploy Your Web App Deployment Center: Once your deployment is complete, click on "Go to Resources" and navigate to the "Deployment Center" in your App Service. Source Control: Choose your source control method (e.g., GitHub, Bitbucket, Azure Repos). 3. Build Provider: Select the build provider (e.g., GitHub Actions, Azure Pipelines). 4. Configure Settings: Follow the prompts to configure your deployment settings. This includes connecting your repository and setting up continuous integration/continuous deployment (CI/CD) pipelines. Step 4: Monitor and Scale Your App Monitor: Use Azure Monitor to keep track of your app's performance and health. Set up alerts to notify you of any issues. To learn more about Azure Monitor, please visit: Monitor Azure App Service - Azure App Service | Microsoft Learn Scale: Azure App Service allows you to scale your app based on demand. Navigate to the "Scale up" or "Scale out" options to adjust your app's resources. To learn more about scaling, please visit: Scale up features and capacities - Azure App Service | Microsoft Learn Step 5: Manage Your App App Settings: Configure application settings, connection strings, and environment variables in the "Configuration" section. To learn more about configuring your app settings, please visit: Configure an App Service App - Azure App Service | Microsoft Learn SSL Certificates: Secure your app with SSL certificates. Navigate to "TLS/SSL settings" to configure SSL bindings. To learn more about SSL Certificates, please visit: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings Conclusion Deploying a web app on Azure App Service is a streamlined process that integrates well with various development tools and workflows. By following these steps, you can easily deploy, monitor, and scale your web app, ensuring a robust and reliable online presence.User Privileges and Permissions in Azure: A Guide for Nonprofits
At the heart of this post is Kairos IMS, an innovative Impact Management System designed to empower human-serving nonprofits and social impact organizations. Co-developed by the Urban League of Broward County and our trusted technology partner, Impactful, Kairos IMS reduces administrative burdens, enhances holistic care, and enables organizations to leverage data for increased agility and seamless service delivery. In this blog series, we’ll take a closer look at the powerful technologies that fuel Kairos IMS, from Azure services to security frameworks, offering insight into how modern infrastructure supports mission-driven impact. Click here to learn more. Understanding Azure User Privileges and Permissions Managing user access and permissions ensures that the right individuals have the correct level of access to resources. Here’s a simplified breakdown: Roles: Azure uses Role-Based Access Control (RBAC) to assign specific roles to users, such as "Reader" (view-only access) or "Contributor" (edit access). Resource Groups: Permissions can be assigned to specific resource groups, allowing you to organize and control access based on projects or departments. Least Privilege Principle: Always provide users with the minimum permissions necessary to complete their tasks, enhancing security. Step-by-Step Guide: Accessing and Managing User Privileges in Azure 1. Sign in to Azure Begin by logging into your Azure Portal. Ensure you have the necessary administrative privileges to manage users. 2. Navigate to Microsoft Entra ID Microsoft Entra ID is the hub where you’ll manage users and permissions. In the left-hand menu, click "Microsoft Entra ID." 3. Add or Modify Users To add a new user: Select "Users" under "Manage." Click "New User" and fill in the user details, such as name and email. Assign an appropriate role (e.g., Reader or Contributor). To modify an existing user: Select the user from the list. Under "Assignments," adjust their roles or permissions as needed. 4. Assign Roles to Resource Groups Resource groups allow you to structure Azure resources. Assigning roles at this level simplifies permission management for specific projects: Click on "Resource Groups" in the Azure portal. Select a resource group and click "Access control (IAM)." Click "Add role assignment," choose the role, and assign it to a user or group. 5. Review and Audit Access Regularly review who has access to what. Use Azure’s built-in audit logs to track changes to user roles and permissions. Final Thoughts Nonprofits operate on trust, efficiency, and impact, and Azure empowers you to maintain these pillars with its extensive tools and security features. By effectively managing user privileges and permissions, you can ensure your team has the access they need without compromising sensitive data. Whether you're assigning roles to volunteers or ensuring your board members have secure access to donor information, Azure makes it possible—even for organizations with limited technical expertise. Start exploring Azure today and unlock the potential for even greater impact in your mission-driven work!Setting Up Azure SQL Database for Nonprofits and Small Businesses
At the heart of this post is Kairos IMS, an innovative Impact Management System designed to empower human-serving nonprofits and social impact organizations. Co-developed by the Urban League of Broward County and our trusted technology partner, Impactful, Kairos IMS reduces administrative burdens, enhances holistic care, and enables organizations to leverage data for increased agility and seamless service delivery. In this blog series, we’ll take a closer look at the powerful technologies that fuel Kairos IMS, from Azure services to security frameworks, offering insight into how modern infrastructure supports mission-driven impact. Click here to learn more. Azure SQL Database offers nonprofits and small businesses a scalable, cost-effective, and secure solution for managing data. Following up from our previous blog that compared Azure SQL Databases and Azure SQL Servers, this guide dives deeper into setting up Azure SQL Database while ensuring you feel confident every step of the way. Step-by-Step Instructions to Set Up Azure SQL Database Step 1: Log in to the Azure Portal Begin by logging into the Azure Portal. If you don’t already have an account, you can sign up for a free tier offering $200 in credits, making it an excellent starting point for nonprofits and small businesses. Step 2: Create a New SQL Database 1. In the Azure Portal dashboard, locate the search bar at the top. 2. Type "SQL Database" and select the corresponding service. 3. Click "Create" to start the setup process. Step 3: Configure Database Basics "Resource Group": Create a new resource group or use an existing one. Resource groups help organize related resources. "Database Name": Choose a descriptive name for your database. "Server": If you don’t have an existing Azure SQL Server, create one here. Specify the server name, admin login, and password. "Compute Tier": For small businesses and nonprofits, consider starting with the “Basic” or “General Purpose” tier for cost-efficiency. Step 4: Networking Setup Under the "Networking" tab: Choose "Public endpoint" to allow access via the internet but restrict IP ranges for security. Add your local IP to the firewall settings to connect from your device. On Windows: Open the Command Prompt, type ipconfig, and look for "IPv4 Address" under your active network connection. On Mac: Open System Preferences, go to "Network," select your active connection, and find your IP address listed under "Status." Step 5: Review and Create Once all configurations are complete, review your setup in the "Review + Create" tab. Click "Create" to deploy your Azure SQL Database. Deployment typically takes a few minutes. Best Practices for Security Enable Advanced Threat Protection: This feature helps detect and respond to potential threats in real-time. Use Azure SQL Managed Identity: Avoid embedding credentials in your applications by enabling managed identities for secure access. Encrypt Your Data: Ensure both in-transit and at-rest encryption via Transparent Data Encryption (TDE). Restrict Access: Use virtual network rules and IP restrictions to limit who can access your database. Performance Optimization Tips Choose the Right Pricing Tier: As your organization grows, you can scale up or down based on your performance needs. Leverage Auto-Tuning: Enable automatic performance tuning to optimize query execution plans. Indexing: Regularly monitor and create indexes for frequently queried fields. Monitor with Azure Metrics: Use Azure Monitor to track performance and identify bottlenecks. Common Troubleshooting Tips Connection Issues: Ensure your IP is added to the firewall rules. Slow Queries: Use "Query Performance Insights" to identify and optimize slow queries. Backup and Restore: Regularly back up your data using Azure’s automated backup feature, and test restoration processes. Scaling Concerns: Use the "Scale up" feature to adjust your compute power during peak times. Conclusion Setting up Azure SQL Database is a straightforward and empowering process. By following these steps and applying best practices, nonprofits and small businesses can leverage this powerful tool to manage data effectively, securely, and affordably. Whether you’re new to cloud technology or looking to optimize your current setup, Azure SQL Database provides the scalability and cost-efficiency required to thrive in a digital world. For further research and exploration, you can visit the following resources: Azure SQL Database Documentation - Comprehensive guidance and best practices for setup and usage. Azure SQL Database Pricing - Details on cost structures and tiers. Azure SQL Database Security Overview - Resources on enabling secure database operations. Azure SQL Database Performance Tuning - Insights into optimizing database performance. These links provide a deeper understanding and additional tools to maximize the potential of Azure SQL Database for your organization.An In-Depth Guide to Azure Kubernetes Services for Nonprofits
What is Azure Kubernetes Services? Azure Kubernetes Services is a managed container orchestration platform provided by Microsoft Azure. Built on Kubernetes, an open-source system for container management, AKS simplifies the deployment, scaling, and management of containerized applications. Containers encapsulate applications and their dependencies, ensuring they run uniformly across various environments, making AKS ideal for developing and maintaining cloud-based solutions. How Does Azure Kubernetes Services Work? AKS abstracts the complexity of managing Kubernetes clusters, offering a streamlined experience with automated upgrades, monitoring, and scaling. Here’s how it works: Cluster setup: AKS sets up Kubernetes clusters, enabling organizations to deploy and manage containerized applications with minimal configuration. Container orchestration: It manages multiple containers, ensuring they communicate seamlessly and operate efficiently. Scaling: AKS allows dynamic scaling to accommodate traffic fluctuations, ensuring optimal application performance. Integration: It integrates with other Azure services, such as Azure Active Directory for security and Azure Monitor for performance tracking. Key Features of Azure Kubernetes Services Nonprofits can benefit from the following features of AKS: Cost-efficiency: AKS uses a pay-as-you-go model, enabling organizations to manage their expenses effectively. High availability: Built-in automation ensures application uptime, making it ideal for mission-critical operations. Security: AKS integrates robust security measures, including identity management and threat detection. Flexibility: Support for multiple programming languages and frameworks makes it adaptable to diverse project needs. Open-source compatibility: Nonprofits can leverage the extensive Kubernetes ecosystem for additional tools and resources. Practical Applications for Nonprofits Azure Kubernetes Services offers nonprofits the ability to improve efficiency, scalability, and impact. Some practical applications include: Data Analytics: AKS can power data processing pipelines to analyze donor trends, target campaigns, and measure impact. Web Applications: Nonprofits can deploy user-friendly donation platforms or resource hubs optimized for high traffic during peak campaigns. Mobile Solutions: AKS provides a robust backend for mobile applications, enhancing outreach and engagement strategies. Collaboration Tools: Organizations can use AKS to host internal tools for seamless team coordination. How Nonprofits Can Get Started with Azure Kubernetes Services The following is a step-by-step guide to help nonprofits begin utilizing AKS: Step 1: Set Up an Azure Account Visit the Microsoft Azure website and sign up for an account. Nonprofits may qualify for free credits or discounts through Azure's nonprofit programs. Step 2: Install Necessary Tools Install the Azure CLI and Kubernetes CLI tools (kubectl) to interact with your cluster. Instructions for installation can be found on the Azure documentation site. Step 3: Create a Kubernetes Cluster Use the Azure portal or CLI to create a Kubernetes cluster. Specify parameters such as node count and region based on your needs. Step 4: Deploy Containerized Applications Prepare your applications for deployment by containerizing them using Docker. Push the images to Azure Container Registry and deploy them to the AKS cluster. Step 5: Monitor and Manage Your Cluster Leverage Azure Monitor to track performance metrics and troubleshoot issues. Use Azure Advisor for guidance on cost optimization and best practices. Step 6: Integrate Security Features Configure Azure Active Directory for secure access management and enable Kubernetes-native security features, such as role-based access control (RBAC). Best Practices for Nonprofits Using AKS Optimize costs: Use scaling features to match resource allocation with traffic demand. Automate processes: Employ DevOps pipelines for streamlined application updates and deployments. Focus on security: Regularly audit permissions and employ encryption for sensitive data. Leverage community resources: Utilize Kubernetes forums and Azure documentation for troubleshooting and ideas. Conclusion Azure Kubernetes Services offers nonprofits a powerful platform to modernize their operations, increase efficiency, and drive meaningful impact. From data analytics to online platforms, AKS provides the tools needed to scale and innovate. By adopting AKS, nonprofits can focus more on their core missions and less on technical hurdles. For further research and exploration, visit the following resources: Microsoft Azure Kubernetes Service Documentation Azure Nonprofit OfferingsPrivileged Identity Management + Just-in-Time Access: Grant Access Only When It’s Needed
At the heart of this post is Kairos IMS, an innovative Impact Management System designed to empower human-serving nonprofits and social impact organizations. Co-developed by the Urban League of Broward County and our trusted technology partner, Impactful, Kairos IMS reduces administrative burdens, enhances holistic care, and enables organizations to leverage data for increased agility and seamless service delivery. In this blog series, we’ll take a closer look at the powerful technologies that fuel Kairos IMS, from Azure services to security frameworks, offering insight into how modern infrastructure supports mission-driven impact. Click here to learn more. Why always-on admin access is so last season That’s where Privileged Identity Management (PIM) and Just-in-Time (JIT) access come in. These powerful tools help nonprofits like yours give the right people access at the right time—no more, no less. It’s smart, secure, and surprisingly simple. Let’s break down what these tools do, and how they can help protect your organization without getting in the way of the amazing work you do every day. So, what is PIM and JIT—like, really? Think of Privileged Identity Management (PIM) as your organization’s VIP list—the folks who have elevated access to do high-level stuff like reset passwords, access financial data, or make major system changes. Now, here’s the twist: with Just-in-Time (JIT) access, no one stays on the VIP list forever. Instead, they request access when they need it—and lose it when they don’t. It’s like giving someone the keys to the office only when they need to go in, rather than letting them walk in 24/7. Why should nonprofits care? Because you're dealing with sensitive data—donor info, volunteer lists, grant applications—and you’re probably working with a lean team wearing many hats. That means it’s easy for someone to get elevated access “just in case” and never lose it. That’s risky business. Enter PIM + JIT = Peace of Mind. Real-life use case #1: The “Finance Volunteer” Scenario Let’s say you have a seasonal volunteer who helps with your annual fundraising campaign. They need access to your donor database and financial reports for two months. Normally, you'd assign them a high-level role and forget about it. With PIM, you give them eligible access, not active access. They request what they need, when they need it—and only for a set amount of time. Once they’re done, the access vanishes automatically. No more “Oops, I forgot they still had access six months later.” Real-life use case #2: The “IT Consultant” You Hired Once You brought in an external IT consultant to help set up your new Microsoft 365 environment. They needed global admin rights (eek!) for just a few days. Instead of giving them full access that lingers forever, you assign them a role through PIM with JIT access. They activate their access, do their job, and then—poof—it’s gone. You can even require multi-factor authentication and approval workflows before access is granted. You’re still in control. Bonus Perks You’ll Love Audit logs – Know who accessed what and when. Notifications – Get alerted when someone activates elevated access. Time limits – Set access to expire automatically. Approvals – Make sure someone signs off before access is granted. Final Thoughts Security doesn’t have to be boring or burdensome. Tools like PIM and JIT are built right into Microsoft 365 (hello, E5 license!) and help you strike the perfect balance between productivity and protection. Here’s the best part for nonprofits: Microsoft gives eligible nonprofit organizations 10 free Microsoft 365 Business Premium licenses—which already include powerful security features like Defender for Business and Intune. To unlock PIM and JIT, you’ll need Microsoft Entra ID Plan 2, which is included in Microsoft 365 Enterprise E5 licenses. But no worries—you can add this advanced level of protection as an affordable add-on to your Business Premium licenses. So yes, your nonprofit can absolutely step up to enterprise-grade security—without paying enterprise-grade prices. Your nonprofit is doing amazing work—let’s make sure your data and systems are just as amazing (and secure). How to Enable PIM and JIT Access in Microsoft Entra Ready to level up your security with PIM and JIT? Follow these steps to get started: Step 1: Sign In Go to the Microsoft Entra admin center at entra.microsoft.com and sign in with a Global Administrator or Privileged Role Administrator account. Step 2: Navigate to PIM In the left-hand menu, select Identity Governance. Click on Privileged Identity Management. Step 3: Manage Microsoft Entra Roles Under the Manage section, click Microsoft Entra roles. Step 4: Assign Roles with JIT (Eligible) Access To Assign roles select, Assign Eligibility. Choose the role you want to manage (e.g., Global Administrator, User Administrator, etc.) or select + Add assignments and select a role there. Apply the scope: this defines where the role applies. Directory Scope: Grants access across the entire Microsoft Entra directory (tenant). Use this for org-wide roles like Global Administrator or User Administrator. Application Scope: Limits access to a specific registered application (like a third-party app or a custom-built app). Assign roles here when managing permissions for app-specific access. Service Principal Scope: Applies the role to a specific service principal, which represents the identity used by an app or automation to access resources. Use this when assigning roles to automation accounts, scripts, or non-user entities. Assign to a username or group. When assigning roles in PIM, you can choose between two types: Eligible: The user does not have the role by default, but they can activate it when needed. This is ideal for Just-in-Time (JIT) access and is the most secure option. Active: The user has the role assigned permanently and doesn't need to request or activate it. Use this only when ongoing access is absolutely necessary. Choose whether the assignment is permanent or for a specific time frame. Click Assign to save. Step 5: Users Activate Roles When Needed (JIT Access) When a user needs to perform an admin task: They go to the Privileged Identity Management section. Find their eligible role and click Activate. Complete any required justification, MFA, or approval steps. Step 6: Approvers Review Activation Requests (Optional) If you’ve set up approvals: Approvers will receive a notification and can review/approve requests directly from the PIM portal. Step 7: Stay Compliant and Secure Regularly review role activations and audit activity logs. Adjust role assignments as needed to maintain least-privilege access. Additional Resources: Assign Microsoft Entra roles in PIM Assign eligibility for a group in PIM Built-in roles in Microsoft Entra
