Let me tell you a story.

Imagine you’re Steve. You work in a large corporate office building. You’ve got your standard-issue security pass. It gets you through the front door, takes you to your desk, lets you pop into the canteen for a cuppa, and that’s about it. You’re not poking around the executive suite, and you’ve certainly never set foot in the server room.

Now imagine Steve gets promoted. Or worse - someone decides he needs a bit more access “just in case”. Suddenly his pass lets him into everywhere. Day or night. The executive suite. The IT floor. The vault where they keep the dodgy printer toner.

Problem is - Steve loses that pass.

Now someone else - who shouldn't have it - has access to everything. And that’s exactly what can happen in Microsoft 365 when you hand out admin roles like sweets at Halloween.

Today, I’m going to show you how to avoid that. We're diving into Privileged Identity Management (PIM), a tool designed to give your IT team just enough access just in time. You’ll learn how to implement PIM in Microsoft 365, tighten up admin privileges, and sleep a little easier at night knowing that rogue accounts aren’t wandering unchecked across your digital estate.

The Basics: Admin Roles in Microsoft 365

Admin roles in Microsoft 365 are exactly what they sound like - elevated permissions that allow users to carry out specific tasks, like resetting passwords or creating new users. Standard stuff. But too often, organisations take the easy route: assign global admin access and forget about it.

That’s where the analogy of Steve and his magic pass comes in.

Giving someone a permanent global admin role is like giving them the master key to the building - no questions asked, all hours access, zero limitations. It’s risky, lazy, and unnecessary.

Instead, we need to be smarter. We need a system where Steve only gets into the executive suite when he’s got a meeting there - and his access disappears afterwards.

That’s exactly what PIM does.

Enter: Privileged Identity Management (PIM)

Privileged Identity Management is part of Microsoft Entra (formerly Azure AD), and it changes the admin game completely. With PIM, users aren’t given full-time admin rights. Instead, they can request access for a specific task, for a specific time period. That request gets logged, reviewed, and approved - or denied.

And once the time’s up? Access revoked. Just like Steve being escorted out of the executive suite once his meeting’s over.

It’s clean, auditable, and secure.

The Catch: You Need a Licence

Before we get to the juicy demo, a quick heads-up. PIM isn’t available on Microsoft 365 Business Premium. You’ll need to purchase the Entra ID P2 licence, which is currently around £6 per user, per month. That said, this licence comes with a stack of security features beyond just PIM - so for most businesses, it’s a no-brainer.

The Demo: Setting Up PIM for Harry

Meet Harry. Harry works the help desk. We want him to be able to reset passwords and create new users - basic admin stuff - but we don’t want to give him the keys to the kingdom.

Here’s how we do it with PIM:

1. No Default Admin Role
   Harry’s user account has no permanent admin roles. Nada.

2. Assign Eligibility
   Through the Microsoft Entra portal, we assign Harry as eligible for the Helpdesk Administrator role. He doesn’t have it yet - but he can request it when needed.

3. Set the Rules
   We configure the settings:

   • Access is time-limited (e.g., 8 hours)

   • Multi-factor authentication (MFA) required

   • He must give a reason for activating the role

   • An approval workflow is triggered

4. Harry Makes a Request
   Harry logs into the Entra portal. He sees that he’s eligible for Helpdesk Admin, clicks “Activate”, sets a duration, enters a justification ("creating two new user accounts"), and submits.

5. Admin Approves
   Back on my side as the global admin, I receive the request. I check it over and click “Approve”. Boom - Harry now has elevated rights for 8 hours. After that, it’s gone.

Why This Matters

We’ve all seen it. The IT environment where five people have global admin rights ‘just in case’. The intern with password reset privileges. The spreadsheet of old users who still have admin access ‘because no one’s cleaned it up’.

PIM changes that.

It’s access with purpose. Permissions with context. Admin rights that expire automatically and leave an audit trail behind them. In a world where phishing attacks, ransomware, and insider threats are very real, this kind of granular control isn’t just helpful - it’s essential.

Final Thoughts

Think of PIM like bouncers at a VIP nightclub. You're not getting in unless your name's on the list - and even then, you’re out when the party’s over. It's accountability baked into the very core of Microsoft 365 admin controls.

So if you’re managing Microsoft 365 for your business and still handing out global admin access like it’s going out of fashion, it’s time to change that.

Set up PIM. Give your team the access they need - but only when they need it. Keep things locked down, logged, and looked after.