Quick Links: | Overview | Privileged Entra Roles | Entra Roles | Low-risk Entra Roles | Managed Groups |
Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Microsoft Entra ID, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune
PIM Governance Overview
At Chico State, the Division of IT has classified certain roles as Privileged Entra Roles, Entra Roles, and Low-Risk Entra Roles. The PIM restriction are greater on higher privileged roles, and on low-risk roles, active assignments are permitted.
When access to a role is granted, the user will be placed into a m365 Group. This group will have a semi-annual review cycle where the owner for the group is required to verify that the PIM groups are appropriately populated. If this is not completed before the deadline, access will be removed.
This article does not cover usage of PIM, which can be found here
The following restrictions must be true for all Entra Roles:
- Entra Roles are only granted to -admin accounts
- A PIM Approver must not be the same account as the PIM Requestor
Privileged Entra Roles
Privileged roles have the following PIM restrictions:
4 Hour Duration
Requires Admin Account
Requires MFA
Requires Staff Approval
Requires Notification
The following roles have been identified as Privileged Entra Roles:
Global Admin/Reader
Security Admin
Intune Admin
User Admin
SharePoint Admin
Teams Admin
Security Reader/Operator
Entra Roles
Entra Roles have the following restrictions:
4 Hour Duration
Requires Admin Account
Requires MFA
Requires Staff Approval
Requires Notification
All Entra Roles that are not Privileged or Low-Risk are required to comply with these PIM policies.
Low-Risk Entra Roles
Low-Risk Entra Roles are considered to have minimal access and do not require PIM.
Low-Risk Entra Roles are considered to be:
Billing Administrator
Service Support Administrator
Managed Groups
Managed Groups
Purpose |
Type |
Group Naming Convention |
Example |
Members are eligible -admin accounts |
M365 Role-assignable Security |
o365-pim-role-<Dept>-<RoleName> |
o365-pim-role-esys-GlobalAdministrator |
Members are accounts who would approve requests |
AD Security |
o365-pim-approvers-<Dept>-<RoleName> |
o365-pim-approvers-esys-GlobalAdministrator |
Members are accounts who should be notified on role activation |
AD Security |
o365-pim-notify-<Dept>-<RoleName> |
o365-pim-notify-esys-GlobalAdministrator |
Semi-annual Access Review
The need for access to privileged Azure resources and Microsoft Entra roles by our users changes over time. To reduce the risk associated with stale role assignments, we will be regularly reviewing access of the M365 role assigned group members.
Still need help? If you run into problems or still need help, reach out to the esys-cloud@csuchico.edu.