🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
Microsoft Entra ID

How to Audit Privileged Identity Management Role Activations in Microsoft Entra ID

Unrestricted access to PIM roles increases the risk of unauthorized activities and makes it difficult to manage critical resources in a Microsoft 365 environment. Implementing just-in-time privileged access and auditing PIM role activation in Microsoft Entra ID allows organizations to ensure elevated permissions are granted only when needed and only to the right users. This step-by-step guide shows how to track privileged role assignments, including who activated which role, when, and why.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Audit PIM Role Activations Using Entra Admin Center

Microsoft 365 Permission Required
Reports Reader Least Privilege
Global Admin Most Privilege
  • Log in to the Microsoft Entra admin center.
  • Navigate to Audit logs under Entra ID»Monitoring & health.
  • Filter the logs by selecting PIM under Services filter and click Apply button. Then, select Add member to role completed (PIM activation) under Activity filter and click Apply again.
  • This will provide details about who initiated the role activation, the time of activation, and the reason provided for activation.
Audit PIM Role Activations Using Entra Admin Center
  • Note: Alternatively, you can navigate to ID Governance»Privileged Identity Management»Microsoft Entra roles»Resource audit to view PIM activity logs. However, this view does not support filtering by specific actions like activations, deactivations, renewals, permanent/timebound assignments, etc.

View Audit Logs of Microsoft Entra PIM Role Activations Using PowerShell

Microsoft 365 Permission Required
View-Only Audit Logs Role Least Privilege
Global Admin Most Privilege
  • Connect to the Exchange Online PowerShell using the cmdlet below.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Update the start and end date placeholders in the following script to match your required time range. Then, run the script to view the audit log report for Microsoft Entra role activations performed through Privileged Identity Management.
  • Windows PowerShell Windows PowerShell 
     Search-UnifiedAuditLog -StartDate "<YYYY-MM-DD>" -EndDate "<YYYY-MM-DD>" -Operations "Add member to role" -ResultSize 5000 |
Where-Object {$_.AuditData } | ForEach-Object {
    $data  = $_.AuditData | ConvertFrom-Json
    $props = @{}
    if ($data.ModifiedProperties) {
        foreach ($mp in $data.ModifiedProperties) {
            $props[$mp.Name] = $mp.NewValue
        }
    }
    if ($data.Actor -is [System.Array]) {
        $assignedBy = ($data.Actor | ForEach-Object { $_.ID }) -join ', '
    }
    else {
        $assignedBy = $data.Actor.ID
    }
    [PSCustomObject]@{
        Timestamp  = $data.CreationTime
        AssignedTo = $data.UserId
        RoleName   = $props['Role.DisplayName']
        RoleID     = $props['Role.ObjectID']
        AssignedBy = $assignedBy
    }
} | Format-Table -AutoSize
  • This provides information on who assigned the role, to whom it was assigned, which PIM role was assigned, when the assignment occurred, and whether the PIM activation was successful.
View Audit Logs of Microsoft Entra PIM Role Activations Using PowerShell
  • Note: You can also use the ‘Get-MgAuditLogDirectoryAudit’ cmdlet from Microsoft Graph PowerShell module to view PIM role activation logs for the past 30 days. However, details are limited there and may not provide the same level of data as the ‘Search-UnifiedAuditLog’ cmdlet.

Track Entra PIM Role Activations Using PowerShell Script

Microsoft 365 Permission Required
View-Only Audit Logs Role Least Privilege
Global Admin Most Privilege
  • While the above PowerShell solution is useful for identifying PIM activations in Microsoft Entra ID, it requires additional filtering and supporting cmdlets to properly format the output.
  • To address this, we have developed a script that offers complete insights into all PIM role activations and deactivations in a CSV file.
  • Download and run the script as mentioned below to find all PIM role activations along with details like event time, admin name, PIM role activated, and additional audit data for deeper analysis.
  • Windows PowerShell Windows PowerShell 
     ./AuditPIMRoleActivations.ps1 -PIMActivationsOnly
Track Entra PIM Role Activations Using PowerShell Script
AuditPIMRoleActivations.ps1
AdminDroid Entra ID Reporting

Ensure Timely Access with Scoped PIM Activation Insights in Microsoft Entra ID

AdminDroid’s Microsoft Entra auditing tool provides a detailed observation on Privileged Identity Management by eliminating the need to rely on complex native methods. It enables you to efficiently monitor all privileged role management activities across your organization to enhance security.

Ensure Timely Revocation of Elevated Access in Entra ID

Monitor PIM role deactivations to track who manually deactivate their own PIM roles to ensure elevated access is used only when needed and promptly revoked after task completion.

Monitor Microsoft 365 Admins Assigned with Management Roles

Identify all admins with management role in Microsoft 365 environment to ensure proper account management, prevent unnecessary access, and uphold least privilege principles.

Identify the Updates in Entra ID Custom Roles

Track updates in Entra ID custom roles to ensure transparency, detect unauthorized changes and avoid discrepancy in role-based access control configuration within Microsoft 365 administration.

Prevent Unauthorized High Privilege Access in Entra ID

Track users added to the Global Admin role via PIM or permanent assignments to identify unauthorized high privilege elevation attempts and prevent potential security breaches.

Analyze Role-Based Conditions in Conditional Access Policies

Review CA policies configured with role-based conditions to ensure that elevated access is granted only under secure conditions, such as compliant devices and trusted locations.

Simplify Privileged Access Management Using Role-Assignable Groups

Find all role assignable groups in Microsoft 365 and use them to streamline just-in-time privileged access for easier role assignments and to reduce individual user management.

In essence, AdminDroid’s Entra ID management tool offers end-to-end visibility into PIM role assignments, activations, deactivations, and updates. It empowers administrators with full-spectrum insights and seamless management across all aspects of Entra ID to elevate Microsoft 365 administration to the next level.

Explore a full range of reporting options
Download Live Demo

Important tips

Configure PIM for groups in Entra ID to allow users to activate group membership or ownership with just-in-time access, approval workflows, and time-bound control.

Enable PIM email notification settings to stay informed of role assignments, activations, and other critical privileged access events in real time.

Restrict PIM role approval authority to only the required admins to prevent inconsistent decisions and unintended activation beyond the originally intended access window.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints when managing Entra ID PIM roles.

Error Extend role assignment. There is already an existing pending role assignment request.

This error occurs in Entra ID when a user tries to submit a request to renew or extend a PIM role while a previous request for the same role is still pending approval.

Fix Wait for the current pending request to be approved, denied, or withdrawn before submitting a new one.

Error The active duration is too short. Minimum required is 5 minutes.

This error occurs when admins attempt to assign activate PIM role with an active duration of less than 5 minutes, which does not meet the system-enforced minimum requirement.

Fix Ensure the active duration (between start time and end time) is set to at least 5 minutes when activating the role.

Error Get-MgAuditLogDirectoryAudit_List: Specified argument was out of the range of valid values. (Parameter 'Minimum allowed time for activityDateTime is <TimeStamp>').

This error occurs when executing the 'Get-MgAuditLogDirectoryAudit' cmdlet with the activityDateTime parameter that exceeds the supported time range. Typically, MS Graph PowerShell supports audit log data for only the past 30 days.

Fix Update the activityDateTime filter in the cmdlet, so that the ending date falls within 30 days from the start date, as required by Microsoft Graph’s supported time range.
Microsoft Entra ID
Frequently Asked Questions

Manage Entra ID PIM Roles for Effortless Just-in-Time Role Activation and Governance

What are the types of roles assignments in Privileged Identity Management?
How to assign PIM roles with different assignments in Entra ID?
How to assign approver for a particular PIM role activation in Entra ID?
How can users activate or deactivate the eligible PIM roles in Entra ID?
How to request extension or renewal of PIM role assignments for eligible or active roles?
How to approve or deny requests for Microsoft Entra roles renewals and extensions?

1. What are the types of roles assignments in Privileged Identity Management?

Microsoft Entra Privileged Identity Management (PIM) helps to control who can have privileged role access in your organization and for how long. PIM roles can be assigned to users in two ways: Active Assignment and Eligible Assignment.

The following section highlights the difference between the two in a simple and easy-to-understand manner.

1. Eligible Assignment

  • The user can activate the role only when needed, following the just-in-time (JIT) access principle.
  • May require approval workflows, Multi-Factor Authentication (MFA), or justification based on the configuration.
  • Encourages least privilege access by granting temporary access only when necessary.

2. Active Assignment

  • The user is already assigned the role and does not need to activate it.
  • Access is immediate and remains until the assignment is removed or expires.
  • Best suited for roles that require ongoing or continuous access.

2. How to assign PIM roles with different assignments in Entra ID?

Admins can assign PIM roles to users with either Eligible or Active status, depending on the required level of access. Here’s how to assign PIM roles with different assignment types.

Assign PIM roles with appropriate assignment type

  • Navigate to Roles via Entra Portal»ID Governance»Privileged Identity Management»Microsoft Entra roles»Roles.
  • Click + Add assignments, then select the desired PIM role from the Select role dropdown, choose the users from the 'Select member(s)' menu and click Next.
  • Under the Settings tab, configure the ‘Assignment type’ based on your need.
    • Eligible - Users required to activate the assigned eligible PIM roles to gain access.
    • Active - Users will be provided with the instant access to the role they are assigned.
  • Select the Permanently eligible checkbox to assign the role as permanently eligible or active, or configure the Assignment starts and Assignment ends time as needed.
  • Enter the reason for assigning active PIM role in the ‘Enter justification’ field. This field is mandatory only if the assignment type is Active.
  • Click the Assign button to save the PIM role assignment.

Note: An approval may be required to activate the assigned eligible PIM role, if an approver is configured for the PIM role in Entra admin center. This helps to prevent the misuse of privileged roles.

pim-role-assignment-type-members
pim-role-assignment-type-setting

Tip: In addition to role assignment, admins can manage current role assignments by using the Update or Remove options in the Assignments window.

remove-update-pim-role

3. How to assign approver for a particular PIM role activation in Entra ID?

We can assign an approver for the PIM roles in Entra ID, so that an approval is required before activating the assigned role. This helps to prevent unauthorized access and ensures better control over sensitive operations.

Configure approvers for Microsoft Entra PIM roles

  • In Entra admin center, navigate to the Settings tab under the ID Governance»Privileged Identity Management»Manage»Microsoft Entra roles.
  • Under the settings tab select the desired role for which you want to assign approver.
  • Once the role is selected, hit the Edit icon, then click the checkbox “Require approval to activate” and select the approver from the “Select approver(s)” option.
  • Choose one or more approvers and hit the Update button.
configure-pim-role-approvers-setting
pim-role-approvers-configuration

Note: In the ‘On activation, require’ option, choose Azure MFA to ensure that only users who successfully complete MFA can activate PIM roles, reducing attack surface.

4. How can users activate or deactivate the eligible PIM roles in Entra ID?

Users who are assigned with eligible PIM role assignments can activate them via the Entra admin center. During activation, they may be required to provide inputs such as MFA, justification, or approval based on the configuration to enable the role for just-in-time access.

Activate Entra ID roles in PIM as a user

  • Navigate to My roles page under PIM in the Microsoft Entra admin center.
  • Identify the required eligible PIM role under Eligible assignments window and click Activate.
  • Once clicked, you will be provided with a flyout pane. Configure the activation duration (in hours) using a slider.
  • Enter the reason for the activation of the PIM role in the reason text box and click Activate.
activate-entra-id-roles-in-pim-as-a-user

Tip: Use the ‘Custom activation start time' check box to activate the role at your specified scheduled time.

Note: If no specific approvers are selected, Privileged Role Administrators or Global Admins will become the default approvers.

Deactivate active PIM role assignments

  • Open the My roles page in the Entra portal.
  • Select the PIM role you need to deactivate under the Active assignment window
  • Hit the Deactivate, then verify with the descriptions and select the Deactivate button in the flyout pane.
deactivate-active-pim-role-assignments

Note: If access to the Azure or Entra portal is restricted in your organization, users with eligible PIM roles can still activate them. They can manage their roles by going directly to the My roles page using the provided link or by searching for “Privileged Identity Management” in the search bar.

5. How to request extension or renewal of PIM role assignments for eligible or active roles?

In addition to activating roles, users can also request to extend their active session or renew an expired eligible assignment to retain future access through the Entra Admin Center.

Users can request PIM role extension through the Entra admin center before the session expires by providing a justification, which may be subject to approval based on policies.

Extend the active PIM role assignments in Entra ID

  • Navigate to the Eligible assignments tab underEntra portal»ID Governance»Privileged Identity Management»Tasks»My roles.
  • Go to the Active assignments tab and click the 'Extend' button associated with the desired role.
  • Provide the reason for requesting the extension of the selected PIM role and hit the Extend button.
extend-active-pim-role-assignments-entra

Users can raise an extension request for eligible or active (assigned) roles only within the 14 days prior to the role’s expiry date.

Renew expired PIM role assignments

Once an eligible role assignment has expired, users can request to renew it. Upon approval, the assignment will be reactivated and thus allow the user to retain eligibility and continue activating the role as needed.

  • Navigate to My roles for PIM in the Microsoft Entra admin center.
  • Go to the Expired assignments tab and click the ‘Renew’ icon associated with the desired role.
  • Provide the reason for requesting the renewal of the selected PIM role and hit the Renew button.
renew-expired-pim-role-assignments

6. How to approve or deny requests for Microsoft Entra roles renewals and extensions?

When a user or group submits a request to extend a role assignment, administrators receive an email notification that includes the details of the original assignment, the reason for the request, and a direct link to approve or deny it.

After reviewing the request and its justification, authorized administrators can approve or deny it. Once approved, the user is allowed to activate or extend the role based on the defined conditions.

Note: Only Global Admins or Privileged Role Admins can approve or deny requests. Also, approvers have 24 hours to approve, after which the user must submit a new request. The 24-hour window cannot be changed.

Approve or deny PIM role requests

  • Log in to the Entra admin center at least as the Privileged Role Administrator.
  • Navigate to the Approve requests tab from ID Governance»Privileged Identity Management.
  • Here, you will find requests that have been sent by users for approval or renewal.
  • Review the justification column to assess the need for the activation request and then Approve or Deny it accordingly.
  • Once the role is assigned, an email is sent to the respective users notifying them of the role assignment.
approve-or-deny-pim-role-requests

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs Customer Stories
All Guides 99+
Microsoft Entra ID
How to Audit Privileged Identity Management Role Activations in Microsoft Entra ID
Microsoft Entra ID Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo