The control plane of an organization, such as identity, management portals, and administrative tooling, are all common targets for cyberattacks. A single privileged account can cause considerable damage across an org. The Stryker incident in March 2026 is a prominent recent example: a single compromised administrator account was used to execute Intune wipe actions on massive a scale, which factory reset 80,000 devices in 79 countries, which caused widespread disruption which took three weeks to recover.
Privileged Identity Management (PIM) in Microsoft Entra ID is designed to reduce this kind of blast radius. Instead of granting administrators permanent, always‑on access, PIM provides time‑bound and approval‑based elevation into privileged roles. PIM assignments can also be backed by strong verification requirements and auditing. In other words, the role exists when you need it but is not active when you don’t.
Why PIM?
Most environments accidentally allow administrators to accumulate privileged access over time. Permissions granted as a break/fix situation are forgotten about, so a temporary elevation typically suddenly becomes permanent. Environments also make the mistake of assigning high-impact roles broadly “just in case” it’s ever needed. PIM helps mitigate some of these risks by providing just‑in‑time privileged access, enforcing activation controls (like MFA and approval), and producing audit history of activations for investigation and compliance. That temporary elevation now becomes an audited action and alerts, so catching those accidents becomes easier.
This matters because attackers don’t need malware or other sophisticated attacks when simple phishing will work and allow them to operate as an admin.
How PIM could have reduced impact in incidents like Stryker
PIM isn’t a magic shield, but it can create just enough friction to getting privileged access to help ward off attacks:
- No permanent admin power: If administrators are made eligible for a role rather than permanent, a stolen password alone doesn’t immediately grant privileged access. The attacker must still activate the role and that activation can require MFA, justification, and/or approval from another admin. This added friction can make it more challenging to gain admin access.
- Shorter windows of opportunity: Activations are limited to a set number of hours. Even if an attacker is able to gain elevated access, the session expires automatically, shrinking the time available for destructive actions. Each activation is also logged, which increases the chances that unauthorized activations are discovered. Activations at odd times, such as the middle of the night or on weekends, could be potential indicators of compromise that could alert your SOC to potential issues.
- Better detection and governance: PIM includes notification and auditing around privileged role activation and assignments, which improves your ability to spot unauthorized privilege use.
In Stryker’s scenario, the destructive action was executed using Intune. PIM alone would not have prevented the device wipes, but it could have reduced the chances of a compromised identity using Intune’s most powerful functions. In this way, PIM complements other governance controls like Intune Multi-Admin Approval for high‑impact actions.
Requirements
To use PIM, your tenant needs Entra ID P2 licenses. PIM is not included with Entra ID Free or P1. The accounts that use the PIM functionality need to have a P2 license assigned, meaning that if an account is assigned an eligible role via PIM, it should carry a P2 license.
You can get P2 licenses by:
- Getting it bundled as part of Microsoft 365 E5/A5 licenses
- Purchasing the Enterprise Mobility + Security (EMS) E5/A5 add-on
- Purchasing Entra ID P2 licenses directly
To configure PIM, your account will either need to be a Global Administrator or have the Privileged Role Administrator role.
Where PIM applies: Entra roles, Azure roles, and Groups
A common misconception is that PIM is just for Global Admin. In reality, Microsoft’s guidance would have you use PIM across three major areas:
- Microsoft Entra directory roles: built-in and custom roles used across Entra ID and M365 services
- Azure roles (RBAC): management groups, subscriptions, resource groups, and resources within Azure
- PIM for Groups: enables just‑in‑time membership and/or ownership for security groups, which is useful when downstream admin access is group-based (for example, Intune RBAC groups and privileged access groups). This can also be used to bundle roles, such as creating a “M365 admin” role that combines the Exchange, SharePoint, and Teams Administrator roles.
For the rest of this blog, we’ll focus on the most common starting point: Global Administrator.
PIM for Global Administrators
Any rollout should begin first with global administrators, then expand outward. This allows you to immediately begin protecting the most critical role.
Step 1: Identify and move standing Global Admins to “Eligible”
You should start by reviewing who is permanently assigned to Global Administrator and convert those assignments from permanent to eligible so that privileges are only active when needed. You should continue to maintain a single “break-glass” global admin account that is not using PIM. This account should be heavily monitored for use to make sure it is not abused. This is your back-door should something ever go wrong with PIM.
Step 2: Configure activation controls
In the Entra admin center under Identity Governance → Privileged Identity Management → Microsoft Entra roles, you can open a role and edit Role settings to define how activation works.
These are some common configurations that you can configure per-role:
- Activation maximum duration: sets the maximum amount of time an assignment can stay active. This can usually be set to a typical workday (8 or 9 hours).
- Require multifactor authentication on activation: ensures elevation requires stronger attestation of identity to use the privileged role.
- Notifications: configure who gets notified when privileged roles are activated or assigned.
These configurations are a good starting place for the global admin role in particular. You will want to have tighter controls for global admin, so these would not necessarily be advised for lessor-privileged roles.
- Shorted activation duration: set the maximum to either 4 or 5 hours. This nudges your admins to not over-use the global admin role since they will have to activate it twice a day.
- Approval to activate: additional approval needed to activate the role. You should only use this if you have strong practices in-place to handle the approval and strong assignment of roles. This should only be used if you have clearly defined what global admin should be used for and it is no longer necessary to activate global admin to do regular job functions.
Step 3: Operationalize monitoring
Design, govern, and operate PIM like a security tool. PIM provides audit history and can surface situations where roles are assigned outside of PIM, which is a valuable “governance drift” signal to investigate.
Final Thoughts
If privileged access is always available, attackers only need one success to move from initial access to owning your tenant. PIM helps by making privilege just-in-time, conditional, time-limited, and observable. By creating a practical path to least privilege without blocking real operational needs, you can gain considerable ground in guarding admin access.
If you’re looking for a starting point, begin with Global Administrator, then expand to roles that control security posture (e.g., privileged role admin, security admin), data (e.g. Exchange Administrator, SharePoint Administrator, Fabric Administrator, Power Platform Administrator), and management planes (Azure RBAC and group-based administration via PIM for Groups).
