Use Privileged Identity Management (PIM) for Groups

Privileged Identity Management (PIM) for Groups is a feature in Microsoft Entra ID that allows organizations to manage, control, and monitor access to Microsoft 365 Groups and security groups with elevated privileges. It extends the capabilities of PIM beyond roles to group memberships, enabling just-in-time access and governance for sensitive group-based access.

Key Benefits of PIM for Groups

• Just-in-Time Access: Users can be assigned eligible membership to a group and activate it only when needed, reducing standing access.
• Approval Workflow: Group membership activation can require approval from designated approvers, adding a layer of control.
• Time-Bound Access: Access can be limited to a specific duration, automatically removing users after the time expires.
• Audit and Alerts: All activations and changes are logged, and alerts can be configured for suspicious or unexpected activity.
• Access Reviews: Periodic reviews can be scheduled to ensure only the right users retain access.
• Integration with Role Assignments: Useful when group membership controls access to resources like SharePoint sites, Teams, or role-based access in Azure.

Limitations of PIM for Groups

• Licensing Requirements: Requires Microsoft Entra ID P2
• Limited to Cloud Groups: Only works with cloud-managed groups on-premises synced
• No Nested Group Support: PIM doesn’t support activation for nested group memberships

Implement PIM for Groups

Here let’s take an example of an Exchange Engineer who needs the Exchange Admin role and also needs the ability to Hard/Soft delete emails using Defender. As such, the Exchange engineer needs to have:

• The Exchange Admin Entra role (Using PIM for Entra)
• The Search & Purge role from Defender (Using PIM for Groups)

Create a group

1. Go to Entra ID > Groups > New Group > Security or Microsoft 365
2. Enable “Microsoft Entra roles can be assigned to the group”
3. Create the group. Don’t add any roles, members or owners.
4. Open the Group > Select “Privileged Identity Management” and choose “Enable PIM for this group”

Assign the Exchange Entra Role

1. Assign the Exchange Administrator PIM role to the user either as Eligible or Permanent.
2. Go to the User > Assigned Roles > Add Assignments > Select the Role “Exchange Administrator”
3. Set the assignment type and select Assign

You should not make active assignment of a group to a role and assign users to be eligible to group membership, as it may take significant time to have all permissions of the role activated and ready to use. To avoid activation delays, use PIM for Microsoft Entra roles instead of PIM for Groups to provide just-in-time access to SharePoint, Exchange, or Microsoft Purview compliance portal. For more information, see Error when accessing SharePoint or OneDrive after role activation in PIM.

Create and assign the “Search & Purge” Defender role

1. Go to Defender > Permissions > Microsoft Defender XDR (Roles)
2. Create a new role
3. Under Permissions > Security Operations > enable “Email & Collaboration advanced actions (manage)”
4. Under Assignments > Add Assignment. Under Employees > select the “Exchange L3” group created in Entra
5. Click Next and Submit

Ensure that the “Defender for Office 365” workload is activated as part of Unified RBAC.

Assign Eligible membership to the Entra Role

1. Open the PIM Group > Privileged Identity Management > Eligible Assignments > Add assignment
2. Select the role as “Member” > and add the Exchange engineer as the member
3. Set the assignment as Eligible and Save
4. To configure activation duration or approval workflow, go to “Privileged Identity Management” > Settings > Member. For this tutorial, we are going with the defaults.

Activating the PIM role as a User

1. Go to portal.azure.com > Privileged Identity Management
2. Under Tasks > My Roles
3. Under Activate > Groups
4. You will see the Group listed > click Activate
5. Provide a justification and click Activate

Validation

• Go to the Defender Portal > Email & Collaboration > Explorer

• Select an email > Take Action

• Review the options as below:

* Behavior with Exchange Admin role but without PIM for Group:

* Behavior with Exchange Admin role AND with PIM for Group: