top of page
Search

Privileged Identity Management (PIM): What It Is and Why You Should Use It

  • Writer: Kyle Cira
    Kyle Cira
  • 6 days ago
  • 2 min read

One of the most effective ways to reduce risk in Microsoft 365 is reducing standing privilege. That’s exactly what Privileged Identity Management (PIM) is designed to do.


What Is PIM?

Privileged Identity Management (PIM) is a just-in-time (JIT) service in Microsoft Entra that controls how and when administrative roles are used.

Instead of admins having their privileges active 24/7, PIM allows them to become “eligible” for roles—and only activate those permissions when needed.


Why This Matters

In a traditional setup:

  • Admin roles are permanently assigned

  • Credentials are always powerful

  • If compromised, attackers immediately gain full administrative access

With PIM:

  • Admin privileges are inactive by default

  • Activation is temporary and controlled

  • Compromised credentials do not automatically grant elevated access

This significantly reduces the blast radius of a breach.


How PIM Improves Security

1. Eliminates Standing Privilege

Admins only elevate privileges when required, reducing exposure time.

2. Just-in-Time Access

Administrative permissions are activated for a limited duration of 0.5 to 8 hours and then automatically revoked.

3. Stops Credential-Based Attacks

If admin credentials are stolen, attackers can’t immediately use them for privilege escalation.

4. Approval Workflows

PIM allows you to require approval before role activation, adding a human checkpoint that can stop malicious activity in its tracks.

  • Approvers can be separate individuals

  • Or admins can approve themselves when necessary (depending on configuration)


Best Practice

All admin accounts (except break glass accounts) should be configured as eligible—not permanently assigned.

Break glass accounts remain an exception for emergency access scenarios, but all other administrative access should be governed through PIM.


Licensing Considerations

PIM requires Microsoft Entra ID Premium P2, which can be obtained through:

  • ~$9/user/month standalone

  • Included in Microsoft Defender Suite for Business Premium (~$15/user/month) (for organizations up to 300 users)

  • Included in Microsoft 365 E5 and newer enterprise licensing tiers


Pro Tip

Activate your admin roles through portal.azure.com using PIM. Once your privileges are active, then proceed to admin.microsoft.com or other admin portals.


Final Thoughts

PIM is one of the most impactful controls you can implement in Microsoft 365.

It doesn’t just improve security—it fundamentally changes how administrative access is managed by:

  • Reducing attack surface

  • Preventing privilege abuse

  • Introducing accountability and control

If you’re still running with always-on admin roles, this is one of the highest-value changes you can make.


Work With Redeemer Cyber

At Redeemer Cyber, we help organizations implement real-world, practical security controls like PIM—aligned to CIS benchmarks and tailored to your environment.


Contact us today to secure your Microsoft 365 environment the right way.

 
 
 

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page