Use PIM to stop giving people permanent Purview admin access

Most organisations assign Purview admin roles during setup and never revisit them. The person who configured DLP six months ago still has Information Protection Admin. The consultant who ran an eDiscovery case still has eDiscovery Manager. Your Compliance Administrator has 43 individual roles they use maybe once a month.

Standing access is the opposite of least privilege. Every account with permanent admin rights is an account that can be compromised and used to disable policies, exfiltrate data, or cover tracks. It does not matter how good your MFA is if the attacker already has a session token for an account with full Purview access.

Privileged Identity Management (PIM) in Microsoft Entra ID fixes this. Instead of permanent role assignments, users get eligible assignments. They activate the role when they need it, provide a justification, and the access expires automatically after a set duration.

Purview roles come in two flavours, and PIM handles them differently.

Entra ID roles like Compliance Administrator, Security Administrator, and Global Reader are managed directly in Entra ID. You can make these eligible in PIM out of the box. When a user activates the role, they get all the Purview permissions that come with it.

Purview-native role groups like Information Protection Admins, eDiscovery Manager, and Insider Risk Management Analysts are managed in the Purview compliance portal. PIM cannot manage these directly. Instead, you use PIM groups - create a role-assignable security group, assign the Purview role group to that group, then use PIM to manage just-in-time membership of the group.

Use direct PIM for Entra roles when someone needs broad compliance or security access (Compliance Administrator, Security Admin). These are the roles that cover multiple Purview features.

Use PIM groups for Purview role groups when someone needs access to a specific Purview feature (eDiscovery Manager, Information Protection Investigators, Insider Risk Management Analysts). This gives you more granular control.

This is the simpler approach. You need Entra ID P2 or Entra ID Governance licences for every user who will be eligible for a role.

Step 1 - Configure role settings. In the Entra admin centre, go to Identity Governance > Privileged Identity Management > Microsoft Entra roles > Settings. Find the role (e.g. Compliance Administrator) and configure:

• Activation maximum duration - how long the role stays active once activated. Start with 8 hours for day-to-day work, 1 hour for sensitive roles.
• Require MFA on activation - yes, always.
• Require justification - yes. Forces users to explain why they need the role. Creates an audit trail.
• Require approval - depends on the role. For Compliance Administrator (43 roles), require approval. For Security Reader (read-only), justification alone is fine.

Step 2 - Create eligible assignments. In PIM, go to Microsoft Entra roles > Roles, find the role, click Add assignments. Select the user, set the assignment type to Eligible, and optionally set an end date for contractors or temporary staff.

Step 3 - Users activate when needed. Users go to My roles in PIM, find the eligible role, click Activate, provide a justification, complete MFA, and wait for approval if required. The role activates and expires automatically.

The key roles to put in PIM:

• Compliance Administrator - always. 43 roles is too many to leave standing.
• Compliance Data Administrator - always. 24 roles across DLP, records, and compliance.
• Security Administrator - always. 17 roles across security and compliance.
• Global Reader - optional. Read-only, but still gives broad visibility.

This is the approach for Purview-native role groups that PIM cannot manage directly.

Step 1 - Create a role-assignable security group. In Entra ID, create a new security group. Check the Microsoft Entra roles can be assigned to the group option. Name it clearly, like "PIM - eDiscovery Manager" or "PIM - Information Protection Admins".

Step 2 - Assign the Purview role group to the security group. In the Purview compliance portal, go to Permissions and add your security group as a member of the relevant Purview role group (e.g. eDiscovery Manager, Information Protection Admins).

Step 3 - Bring the group into PIM. In Entra admin centre, go to Identity Governance > Privileged Identity Management > Groups. Click Discover groups, select your security group, and click Manage groups. This is permanent and irreversible - the group cannot be removed from PIM once onboarded.

Step 4 - Configure group settings. Set activation duration, MFA requirement, justification, and approval workflows. Same principles as direct role assignments.

Step 5 - Create eligible memberships. In the PIM group, go to Assignments > Add assignments. Choose Member as the role, select the users, and set them as Eligible.

How it works in practice: A user needs to run an eDiscovery search. They go to PIM, activate their membership in the "PIM - eDiscovery Manager" group. PIM adds them to the group, which gives them the eDiscovery Manager role in Purview. When the activation expires, PIM removes them from the group and the Purview access is revoked.

Purview role groups that benefit most from PIM groups:

• eDiscovery Manager - access to case data and search results
• Insider Risk Management Investigators - access to data explorer and case details
• Information Protection Admins - ability to create and modify DLP policies and labels
• Communication Compliance Investigators - access to full message content
• Records Management - ability to modify retention policies

Every eligible user needs a P2 licence. Not just the admins configuring PIM - every user who has an eligible assignment must have Entra ID P2 or Entra ID Governance. Budget for this.

Onboarding a group to PIM is irreversible. Once you bring a security group into PIM management, you cannot undo it. This is by design to prevent someone stripping PIM protections. Test with a non-production group first.

Other admins can override PIM group changes. Exchange Administrators and other roles with group management permissions can modify group membership through the regular Groups API, bypassing PIM. For role-assignable groups this is more restricted, but be aware of the gap.

Require approval for role-assignable groups. Microsoft explicitly recommends this. Without approval, an attacker who compromises a password-reset admin could reset a user's password and activate their eligible group membership to gain elevated access.

The 5-minute minimum. PIM assignments cannot be created or removed in less than 5 minutes. This is a platform limitation, not a configuration option.

Emergency access. Always maintain at least one permanent active Global Administrator assignment on a break-glass account. If PIM has an outage, you need a way back in. Do not put your emergency access accounts into PIM.

Plan activation time into workflows. If someone needs to respond to a DLP incident urgently, they need to activate their role first. With approval workflows, this can take minutes. Make sure your incident response process accounts for this. Consider shorter approval chains or pre-approved activations for time-sensitive roles.

Do not try to PIM everything on day one.

Week 1 - Audit current assignments. List every user with a Purview-related Entra role or Purview role group membership. For each one, ask: do they need this access every day, or just when they are actively working on something?

Week 2 - Start with Entra roles. Move Compliance Administrator, Security Administrator, and Compliance Data Administrator to eligible assignments in PIM. These are the highest-impact roles and the easiest to configure.

Week 3 - Create PIM groups for high-value Purview roles. Start with eDiscovery Manager and Insider Risk Management Investigators - these have access to sensitive case data and should not be standing.

Week 4+ - Expand to remaining roles. Work through Information Protection Admins, Communication Compliance, Records Management, and others based on your risk assessment.

For each role, monitor the activation logs in PIM for the first few weeks. If someone is activating the same role every day, they might need a longer activation window or a different approach. If someone has an eligible assignment and never activates, they probably do not need the role at all.