Privileged Identity Management (PIM)
PIM is vital to secure your Microsoft 365 tenant using standard Entra ID functionality. In this article we explain what PIM is, why it should be present in every Entra ID configuration, and why you might not be able to use it. We’ll also highlight some more advanced options that we recommend to strengthen security with PIM beyond the most basic set-up.
When using Microsoft Entra Privileged Identity Management – or PIM for short – you need to elevate your account to access administrator privileges, providing just-in-time access.
Even in the most basic scenarios, where you already have signed in with MFA and just need to click to activate, you get three main benefits:
🥇 You will be protected from yourself
Hopefully you are already using separate accounts for admin privileges. Adding PIM to this further reduces the chance of you accidentally doing something fatal when operating as for example Global Admin (GA).
🥈 Security by obscurity
Should your admin account be compromised, having to elevate will add an extra layer of security even though no requirements for the activation itself is added.
🕵️ You will be able to see when admin privileges are used and why
If for example someone consistently is elevating to Global Admin to configure Conditional Access, you might want to consider changing the access level that user has, or teach not to elevate to higher privileged access than necessary.
To further increase security, we recommend to configure the following:
🪪 Force user to re-authenticate when activating a privileged role
This can be achieved with an Authentication Context in Conditional Access, and configuring this for the appropriate roles.
💪 Require stronger authentication
Require stronger authentication strength for activating certain roles like GA, like the default Phishing-resistant MFA strength-level or a custom policy enforcing use of FIDO2 security key for such logins.
✉️ Send an e-mail to your regular user account
Send an e-mail to your regular user account every time your admin account elevates.
When you need to elevate your account, you simply go to https://aka.ms/PIM and click “Activate” on the role you need to elevate to. You choose how long the elevation lasts, and add a comment on why you are elevating.
In the image below, you can see some possible settings for elevating GA. You can even require a second person to approve to be able to elevate to GA.
🤔 You might be wondering why you might not have access to PIM. As promised, this is why: You need Entra ID P2 licenses to use PIM – but only for the administrators. If you have Entra ID Governance licenses, these also include PIM.
If you want to know more about how to secure M365 with PIM, look at this webinar where Microsoft MVP Simon Skotheimsvik shares more on PIM and other Entra ID fundamentals.
And if you just want to make sure your Microsoft tenant is secure, our service Proactive Security Monitoring does just that. Contact me at audun.solheim@cloudwayservices.com for more info!