--- name: PIM Privileged Role and Activation Audit description: Audit Entra Privileged Identity Management for standing versus eligible roles, activation anomalies and approval gaps against Essential Eight. --- # PIM Privileged Role and Activation Audit > **TL;DR:** This skill reads your Microsoft Entra Privileged Identity Management configuration to find standing privileged access, eligible role assignments, risky activations and missing approval or justification controls, then ranks each finding by risk so you can tighten just-in-time access. ## What does Microsoft Entra Privileged Identity Management control? Microsoft Entra Privileged Identity Management (PIM) governs how administrators obtain privileged roles across Microsoft Entra ID and Microsoft 365, moving them from always-on standing access to just-in-time eligible activation. It defines whether a role requires approval, multi-factor authentication, a justification or a time limit before activation. This skill inspects those PIM role settings, eligible and active assignments, and recent activation history so you can confirm privileged access is governed in line with Conditional Access and your governance baseline. ## When should you run this skill? - "Show me every account with permanent standing Global Administrator access." - "Which privileged roles can be activated without approval or MFA?" - "Audit our PIM activations for the last 30 days and flag anything anomalous." - "Are admins activating roles without a meaningful justification?" - "List eligible role assignments that have never been activated and may be stale." - "We have a CPS 234 or Essential Eight assessment next week and need a privileged access report." - "Confirm break-glass accounts are excluded correctly from PIM enforcement." ## How this skill works, step by step 1. Connect read-only to Microsoft Entra and enumerate all PIM-managed directory roles and privileged role-enabled groups in scope. 2. Retrieve every eligible and active role assignment, recording whether each is permanent (standing) or time-bound. 3. Read each role's PIM activation policy: approval requirement, MFA requirement, justification requirement, ticketing and maximum activation duration. 4. Pull recent activation events from the PIM audit history and correlate each activation with its approver, justification text and originating user. 5. Identify standing assignments on highly privileged roles, including Global Administrator, Privileged Role Administrator and Security Administrator. 6. Detect anomalies such as activations without approval, empty or templated justifications, activations outside business hours, or roles activated then never deactivated. 7. Verify that designated break-glass or emergency-access accounts are documented and consistently handled. 8. Derive a per-finding risk score from role sensitivity, whether access is standing, and the strength of the activation controls in place. 9. Compile the prioritised findings into a structured report for review. ## Output format The skill returns a ranked table of privileged-access findings followed by a summary. | Role | Principal | Assignment type | Control gap | Risk | | --- | --- | --- | --- | --- | | Global Administrator | `priya.shah@contoso.com` | Active (standing) | Permanent assignment, no JIT | Critical | | Security Administrator | netops-team (group) | Eligible | Activation requires no approval | High | | Exchange Administrator | `sam.lee@contoso.com` | Eligible | 14 activations with empty justification | Medium | - Total privileged roles assessed and count of standing versus eligible assignments. - Roles that can be activated without approval, MFA or justification. - Activation anomalies detected over the review window. - Top remediation priorities ranked by risk score. ## Scope and safety This skill is read-only by default and makes no changes to your tenant. It inspects PIM configuration and audit data only, and never modifies role assignments or policies. This skill does NOT: - Activate, assign, remove or modify any privileged role or PIM policy. - Alter approval workflows, Conditional Access policies or break-glass accounts. - Export or store credentials, secrets or personal data beyond the report it produces. ## Licensing and permissions ### Licences and add-ons | Capability used | Minimum licence | | --- | --- | | Privileged Identity Management (role settings, eligible and active assignments) | Microsoft Entra ID P2 | | PIM activation and audit history | Microsoft Entra ID P2 | ### Least-privilege roles - Global Reader or Security Reader for read-only visibility of directory roles and configuration. - Privileged Role Administrator is required to administer PIM, but is not needed for this read-only audit. ### Microsoft Graph permissions (read-only) - `RoleManagement.Read.Directory` — reads PIM role settings, eligible and active assignments and activation policies. - `RoleEligibilitySchedule.Read.Directory` — reads eligible role assignment schedules. - `Directory.Read.All` — resolves principals, groups and directory roles in scope. - `AuditLog.Read.All` — reads PIM activation and approval history for anomaly detection. ## Sources and compliance - [Configure Microsoft Entra Privileged Identity Management](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure) - [Plan a Privileged Identity Management deployment](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-deployment-plan) - Maps to the Essential Eight control "Restrict administrative privileges", supporting just-in-time access and regular review of privileged accounts. See the [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model). - Supports ISM controls for privileged access management, requiring privileged access to be limited, time-bound and logged. - Output in Australian English.