Microsoft Entra Privileged Identity Management (PIM) is one of the most important security features available for controlling administrative access in Microsoft 365.
Instead of assigning permanent admin roles to users, PIM allows you to make role assignments eligible, meaning users can activate the role only when required — and only for a limited duration.
In this article, we will explore what PIM eligible admin roles are, why they matter, and how to assign them using both the Entra Admin Center and Microsoft Graph PowerShell.
In Microsoft Entra ID, administrative roles such as:
provide powerful access across your tenant.
With Privileged Identity Management (PIM), you can assign these roles in two ways:
A PIM Eligible Admin Role : means
In simple terms:
Eligible roles reduce permanent privilege and enforce “just-in-time” administration.
Assigning admin roles permanently increases security risks. PIM eligible roles solve this problem by introducing control and accountability.
Here are the key benefits:
Permanent Global Admin access is one of the biggest attack targets. Eligible assignments ensure admin privileges are available only when required.
Users activate the role only for a specific duration, such as:
This limits exposure.
PIM supports:
Eligible role assignments help organizations meet compliance standards like:
Every activation request and role usage is logged, making investigations easier.
You can assign PIM eligible roles in two main ways:
Follow these simple steps to assign an eligible admin role through the portal.
Step 1: Open Microsoft Entra Admin Center
Go to:
Sign in with an account that has Privileged Role Administrator or Global Admin permissions.
Step 2: Navigate to Privileged Identity Management
In the left-hand menu:
Step 3: Select Entra ID Role
This shows all available administrative roles.
Step 4: Choose the Role to Assign
Click on the role you want to assign, for example:
Step 5: Add an Eligible Assignment
Inside the role page:
Step 6: Select the User
Click Select members
Step 7: Configure Assignment Settings
You can configure:
Step 8: Click Assign
The user is now eligible, not permanently active.
They can activate the role later through accessing Entra ID Admin Center and selecting:
If you want to automate role eligibility assignments, Microsoft Graph PowerShell is the best option.
Below is a brief script example for creating a PIM eligible assignment request.
Create PIM Eligible Assignment (Script)
# ==============================
# CREATE PIM ELIGIBLE ASSIGNMENT
# ==============================
$params = @{
PrincipalId = $user.Id
RoleDefinitionId = $GlobalAdminRoleId
DirectoryScopeId = "/"
Action = "AdminAssign"
Justification = $Justification
ScheduleInfo = @{
StartDateTime = (Get-Date).ToUniversalTime()
Expiration = @{
Type = "AfterDuration"
Duration = $Duration
}
}
}
New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest `
-BodyParameter $params
This script assigns the selected user as eligible for the specified admin role.
For the complete step-by-step PowerShell script (including role ID retrieval, user selection, and error handling), refer to the full guide here:
👉 Assign PIM Eligible Global Admin Using Graph PowerShell
https://m365corner.com/m365-powershell/assign-pim-eligible-global-admin-using-graph-powershell.html
Entra ID PIM Eligible Admin Roles are one of the best security controls you can implement in Microsoft 365.
Instead of granting permanent admin access, PIM ensures:
Whether you assign roles through the Entra Admin Center or automate them using Graph PowerShell, eligible role assignments are a must-have for every secure tenant.
Did You Know? Managing Microsoft 365 applications is even easier with automation. Try our Graph PowerShell scripts to automate tasks like generating reports, cleaning up inactive Teams, or assigning licenses efficiently.
Ready to get the most out of Microsoft 365 tools? Explore our free Microsoft 365 administration tools to simplify your administrative tasks and boost productivity.
© Your Site Name. All Rights Reserved. Design by HTML Codex