Entra ID PIM for Essential Eight compliance


Privileged identities are user accounts with high access levels to critical resources, such as administrative, service, and application accounts. If compromised, it can lead to significant security breaches, which is why cybercriminals often target these accounts. Limiting privileged access to your Azure and Microsoft 365 cloud resources will help you proactively mitigate your cybersecurity risks.

One of the tools that can enable just that while helping you achieve control and governance of privileged access on your Microsoft cloud and on-premises environments is using the Privileged Identity Management (PIM) available in Microsoft Entra ID (formerly Azure Active Directory).

In this blog, we shared what Entra ID PIM is, what it can do, why use it, and how it helps your organisation get to Essential Eight maturity level two.

What is Entra ID PIM?

Privileged Identity Management (PIM) is a feature of Microsoft Entra ID that helps organisations manage privileged identities and access sensitive resources. These resources include Entra ID, Azure, and other Microsoft Online Services such as Microsoft 365 or Intune.

With Entra ID PIM in place, the administrator doesn’t always have global admin access. It provides just-in-time access to privileged roles, allowing users to activate their privileged access only when needed. This minimises the attack surface and reduces the risk of unauthorised access. So even if an administrator’s account gets compromised, a hacker won’t be able to misuse the associated account permissions and privileges and do something untoward to your IT environment.

To use Entra ID PIM, you need either Entra ID Premium P2 or Microsoft 365 E5.

What can you do with Entra ID PIM?

  1. Discover and manage privileged identities and access to critical resources.
  2. Enforce least-privileged access, providing access to resources only when needed.
  3. Monitor privileged access and activity with detailed logging and auditing capabilities.
  4. Automate access reviews and certifications, ensuring that privileged access is regularly reviewed and validated.
  5. Streamline the approval process for privileged access requests.
  6. Create and manage privileged roles within your organisation.
  7. Enforce least-privileged access, providing access to resources only when needed.
  8. Streamline the approval process for privileged access requests.
  9. Facilitate periodic access reviews to ensure that privileged roles are still necessary and appropriately assigned.
  10. Monitor privileged access and activity with detailed logging and auditing capabilities.
  11. Analyse role assignments, identify over-permissioned roles, and recommend adjustments to align with security best practices.
  12. Generate detailed reports on privileged role assignments, access history, and overall privileged access management activities.

How does Entra ID help you achieve Essential Eight Maturity Level 2?

Essential Eight maturity level 2 focuses on protecting against more advanced but conservative adversaries, hiding their activity, and taking the time to test the effectiveness of their tools. Phishing and social engineering techniques are commonly used by adversaries at this level to trick users into weakening an organisation’s security, targeting and exploiting accounts with privileged access.

Entra ID PIM helps to restrict administrative privileges and achieve Essential Eight maturity level 2 in these ways:

  1. Instead of providing continuous administrative privileges, Entra ID PIM allows the implementation of just-in-time (JIT) access, where users are assigned elevated privileges for a limited period when they need to perform specific administrative tasks.
  2. Entra ID PIM incorporates an approval workflow for granting privileged access. When users request administrative privileges, the requests are routed to designated approvers who review and approve or deny the requests. This process adds an additional layer of oversight and ensures that administrative privileges are granted based on proper authorisation and business justification.
  3. Instead of providing indefinite administrative access, Entra ID PIM allows organisations to assign users time-bound privileges, with privileges automatically revoked once the time expires.
  4. Monitor privilege escalation activities with Entra ID PIM’s robust auditing capabilities. It logs and tracks privileged actions performed by users, including the scope and duration of the access. This audit trail helps organisations monitor and review administrative activities, identify any anomalies or unauthorised actions, and maintain accountability and compliance with security policies.
  5. Entra ID PIM utilises role-based access control (RBAC) to define granular role assignment policies. Administrators can specify the conditions and criteria for granting privileged roles, ensuring that only authorised individuals with a legitimate need can access sensitive resources.
  6. Instead of granting broad administrative rights, your organisation can operate in the least privileged model, assigning privileges on an as-needed basis with Entra ID PIM.
  7. Facilitate periodic privileged access reviews to evaluate the continued need for privileged roles. This process helps maintain an accurate and up-to-date picture of who has access to sensitive resources and enables the timely removal of unnecessary privileges.

Essential Eight maturity level 2 has more stringent actions to demonstrate your organisation’s ability to secure your systems and data. But Entra ID PIM plays a crucial role in restricting administrative privileges and helps you address these controls in an Essential Eight maturity level 2 assessment:

  1. Requests for privileged access to systems and applications are validated when first requested.
  2. Privileged user accounts are prevented from accessing the internet, email, and web services.
  3. Use of privileged access is logged.
  4. Changes to privileged accounts and groups are logged.
  5. Privileged access to systems and applications is automatically disabled after 45 days of inactivity.
  6. Privileged access to systems and applications is automatically disabled after 12 months unless revalidated.

Learn more about improving productivity and protecting your business data by leveraging Entra ID PIM. For more information about Microsoft Azure and Security, please don’t hesitate to contact us.

Write a Comment

Talk to us

If you would like to learn more, complete the form below and one of our team will be in contact.

Your information will never be shared or sold to a 3rd party,
please read our privacy policy.