Leaving admin accounts permanently active is like leaving the keys to your business on the front desk. If those credentials are compromised, attackers gain full control of your Microsoft 365 environment. For SMBs, this can mean data breaches, compliance failures, and costly downtime.

The solution? Just-in-Time Admin Access using Microsoft Entra Privileged Identity Management (PIM).

What Is Just-in-Time Admin Access?

Just-in-Time Admin Access means admins only get elevated permissions when they need them, for a limited time. This approach:

• Reduces your attack surface.

• Meets compliance requirements (ISO, SOC2, NIST).

• Prevents privilege creep by automatically expiring access.

Requirements to Use PIM

Before you start, make sure you have:

• Microsoft Entra ID P2 license (included in Microsoft 365 E5 or as an add-on).

• Global Administrator role to configure PIM.

• Access to Microsoft Entra admin center.

Eligible vs Active Roles

• Active Role: Always-on admin access (high risk).

• Eligible Role: Requires activation for a set time (secure).

Switching to Eligible roles with PIM ensures admins request access only when necessary, and every activation is logged.

How to Configure Just-in-Time Admin Access in Microsoft Entra PIM

1. Go to Microsoft Entra admin center > Identity Governance > Privileged Identity Management > Microsoft Entra roles.

2. Select Roles to view the list of available roles.

3. Click Add assignments.

4. In the Add assignments window, choose the role you want to assign (e.g., Intune Administrator).

5. Select the member (or group) to assign the role to, then click Next.

   Tip: For scalability, use group-based assignments instead of individual users.

6. Choose Eligible as the assignment type.

7. (Optional) Set start and end dates for time-bound assignments:

   • Permanent → no expiration.

   • Time-bound → specify start and end dates.

8. Click Assign to finish.

9. A notification confirms the assignment.

For Active assignments, the steps are the same, except you select Active instead of Eligible.

End-User Experience: How Users Activate an Eligible Role

Once administrators assign an Eligible role, here’s what the user does when they need elevated access:

1. Sign in to the Microsoft Entra admin center.

2. Navigate to: Identity Governance > Privileged Identity Management > My roles

3. Select Microsoft Entra roles to see your eligible roles.

4. Find the role you want to activate and click Activate.

5. In the Activate pane, enter:

   Duration (if allowed).

   Reason for activation.

6. Complete additional verification if prompted (MFA).

7. Click Activate.

5. If approval is required, you’ll see a pending approval notification.

6. Once approved, the role becomes Active for the set duration (e.g., 8 hours).

7. Check Active assignments to confirm activation.

8. When time expires, the role automatically deactivates.

Tip: Encourage users to plan work ahead so they can activate roles during approved windows. Activations and justifications are logged automatically for auditing.

Common Mistakes to Avoid

• Leaving roles permanently active.

• Skipping approval workflows for critical roles.

• Not reviewing activation logs regularly.

Why SMBs Should Act Now

Cybercriminals increasingly target SMBs because they often lack advanced security controls. Implementing Just-in-Time Admin Access is one of the simplest ways to reduce risk without disrupting operations.

Ready to secure your Microsoft 365 environment? Contact us today to implement Microsoft 365 business security best practices and strengthen your security posture.