Azure Privileged Identity Management – Office365 Roles

Privileged Identity Management is an amazing new service that Microsoft has made available via the following licensing skus.

  • Enterprise Mobility + Security (EMS) E5
  • Microsoft 365 M5
  • Azure Active Directory Premium Plan

This blog post is related to Office365 roles.

I will create a new blog for using PIM with Azure resources, an example could be a workflow that requires financial approval to deploy virtual machines.

When I first set this up I followed the Microsoft guide lines but found it hard to understand how to start protecting privileged roles with PIM
This blog post will outline the steps required to manage some specific Office365 roles.

FIRST STEPS to enable Azure PIM 

Browse to this Microsoft Site – Getting started  with Azure PIM
Complete the following two sections
Enable PIM
Sign up PIM for Azure AD roles

It is critical for an Azure PIM administrator to be  a member of the ‘Privileged Role Administrator’ role so that the admin can assign users for eligibility to relevant roles.

Azure PIM sample use cases with Office365 

Global Administrator
License Administrator
Compliance Administrator ( This is probably the best use case for Azure PIM in Office365)
Exchange Administrator
Sharepoint Administrator
Service Administrator
(Office365 Premier Support tickets now need to be logged through the Office365 admin portal. Support staff only need this role and not global admin)

Add eligible users to privileged roles

The next steps will look at how we can make a user eligible for  privileged role access and some of the options available.

  1. Assigning  a user for eligibility to privileged roles, Browse to the manage section and select settings and then roles
  2. Select the roles that you want to assign eligible users to
  3. Select the options displayed in the image below and add approval users. Not all rules may require MFA enforcement. But some will, like the Global Admin or Compliance Admin Role.
  4. Add Approval Users
    Most admin accounts do not have a license and therefore have no mailbox and cannot receive a mail notification for a request to approve access. It is possible to add approval accounts to ‘Privileged Authentication Administrator’ role and this enables the approval hyperlink within email notification to be re-directed to the Azure PIM request approval portal and approve the request. When Azure Seamless sign on is enabled the approver is directed to the Azure PIM request portal with single sign on and the process can be very quick.

The next steps demonstrate an end user or external guest account requesting access to the Office365 licensing portal.

  1. The user requesting access would click on this URL
  2. The user will then be presented with an Azure page that he\she can request access to their eligible roles.
  3. Then click on the next Activation link
  4. Then fill in the details for the request and select activate
  5. This will then submit an email to a defined approval user, and the approval user will receive an email notification displayed in the image below
  6. The approval user will then be directed to the Azure PIM request portal and can then choose to approve or deny the request.


The final section to note is – Azure PIM auditing  is excellent and when Azure PIM is enabled it will send out notifications when users privileges have been elevated in the Office365 portal or Office365 service like Exchange Online or Sharepoint Online. Once PIM is in place the only place roles should be elevated is in Azure PIM and never never use generic admin accounts.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s