Description

Do not assign users to highly privileged roles using permanent active role assignments. Instead, assign users to eligible role assignments in a PAM/PIM system and provide an expiration period for active assignments requiring privileged users to reactivate their highly privileged roles upon expiration..

Policy

• Permanent active role assignments shall not be allowed for highly privileged roles. Active assignments shall have an expiration period.

• The only exception to the policy is the break-glass Global Administrator account.

Licensing Considerations

Azure AD P2 if using Azure AD PIM. This can be purchased standalone or is part of the following bundles:

• EMS+E5

• Microsoft 365 E5

Set Up Instructions

Deploy PIM: Plan a Privileged Identity Management deployment - Azure AD - Microsoft Entra | Microsoft Learn

End-User Impact

Impact is limited to users who are eligible to privileged roles which should be a small amount in the organization. These users will have to enter the Azure AD Admin center to activate their roles when needed.

PowerShell Scripts

PowerShell for PIM: PowerShell for Azure AD roles in PIM - Azure AD - Microsoft Entra | Microsoft Learn

Videos