Unit 4: Exercise – Configure Privileged Identity Management for Microsoft Entra roles

In this exercise, you configure Privileged Identity Management (PIM) settings for a Microsoft Entra directory role. Specifically, you review and modify the Compliance Administrator role to require approval before activation.

This exercise demonstrates how organizations can add oversight and control to privileged role activation.

Objective of this exercise

By completing this exercise, you will learn how to:

• Access Microsoft Entra role settings in PIM.
• Review role-specific PIM configuration.
• Require approval for role activation.
• Assign approvers for privileged role activation.

Prerequisites

Before starting, ensure:

• You are signed in as a tenant administrator.
• Microsoft Entra ID Premium P2 is enabled.
• Privileged Identity Management is available in your tenant.

Step 1: Open Privileged Identity Management

• Sign in to the Microsoft Entra admin center.
• In the search bar, search for Privileged Identity Management.
• Select Microsoft Entra Privileged Identity Management from the results.

Step 2: Navigate to Microsoft Entra roles

• In the Privileged Identity Management blade, look at the left navigation.
• Select Microsoft Entra roles.

This section is used to manage directory roles, such as Global Administrator, Compliance Administrator, Security Administrator, and others.

Step 3: Open role settings

• On the Quick start page, in the left navigation, select Settings.

The Settings page displays all Microsoft Entra roles that can be managed by PIM.

Step 4: Locate the Compliance Administrator role

• Review the list of available roles.
• In the Search by role name box, enter Compliance.
• From the filtered results, select Compliance Administrator.

Step 5: Review current role settings

• Review the Role setting details page.

This page shows:

• Whether approval is required.
• Whether MFA is required.
• Notification settings.
• Activation duration.
• Assignment type (eligible vs permanent).

At this stage, no changes are made.

Step 6: Edit role settings

• At the top of the Role setting details page, select Edit.

This opens the Edit role setting – Compliance Administrator screen.

Step 7: Require approval to activate the role

• In the Edit role settings screen, locate Require approval to activate.
• Select the Require approval to activate check box.

Important behavior:

• If multiple approvers are configured, only one approver needs to approve or deny.
• You cannot require approval from multiple approvers simultaneously.

Step 8: Select approvers

• Select Select approvers.
• In the Select a member pane:
• Choose your administrator account (or another appropriate approver).
• Select Select to confirm.

Approvers are responsible for approving role activation requests.

Step 9: Save the configuration

• Review the updated role settings.
• Select Update to save your changes.

The Compliance Administrator role now requires approval before any eligible user can activate it.

Result of this exercise

After completing this exercise:

• The Compliance Administrator role is protected by:
• Approval-based activation.
• Users eligible for this role must:
• Request activation.
• Wait for an approver to approve the request.
• All activation attempts are:
• Logged.
• Auditable through PIM activity and audit logs.

Key takeaways

• PIM role settings are configured per role, not globally.
• Approval requirements add an extra layer of governance.
• One approver is sufficient; multi-approver enforcement is not supported.
• Role activation controls reduce the risk of privilege misuse.