Time-limited admin roles in Microsoft 365

Instead of granting all your admins admin roles that they have all the time you can give users just-in-time (JIT) administration. With JIT you can have your admins request the access they need. The access can be time-limited so the admin can request the permissions they require to perform a function and then those permissions will automatically disappear after a short while. Just-in-time administration is part of Privileged Identity Management (PIM). With PIM you can monitor access to essential resources in your organization.

NOTE: PIM requires Azure AD Premium 2 licenses

When to use PIM?

You’ll want to use PIM when you want to minimize the number of admins in your environment. With PIM users can be granted access when requested, if those accounts are compromised the malicious user won’t have admin rights unless granted by another admin.

What does PIM allow you to do?

With PIM you can build several security-based access controls into your environment. Some of which are:

• Provide JIT admin access to your Microsoft 365 tenant
• Assign time-bound access to admin rights using start and end dates so contractors and other time-limited employees can perform their job and automatically be revoked access after x days.
• Require approval to be granted admin roles so another admin can verify the user is who he says he is before being given admin…