Azure Active Directory (Azure AD) Privileged Identity Management (PIM) simplifies how enterprises manage privileged access to resources in Azure AD and other Microsoft online services like Microsoft 365 or Microsoft Intune.

If you have been made eligible for an administrative role, then you must activate the role assignment when you need to perform privileged actions. For example, if you occasionally manage Microsoft 365 features, your organization's privileged role administrators might not make you a permanent Global Administrator, since that role impacts other services, too. Instead, they would make you eligible for Azure AD roles such as Exchange Online Administrator. You can request to activate that role when you need its privileges, and then you'll have administrator control for a predetermined time period.

Before You Start

  • You need to have had an Azure role assigned to you by an administrator.

Privilege elevation for password and MFA resets is monitored. Any misuse of these privileges will result in immediate disciplinary action.

Activate an Eligible Role

  1. Go to the My Roles blade in the Azure Portal.
  2. You will see a list of Azure AD Roles for which you are eligible.
  3. Choose the roles you need access to (for password resets or MFA resets select "Authentication Administrator").
  4. Select Activate.
  5. Choose a duration up to the maximum value.
    1. Try to select an appropriate amount of time for the task you are performing. Often the minimum value is sufficient.
  6. Enter the Ticket Number you are working on.
  7. Explain what you plan to do with this access.
    1. e.g. Reset password, MFA Reset, Login Error Investigation, Bitlocker recovery key lookup
  8. Click Activate. Wait for all stages to complete and the portal to reload. Afterwards, you will have the new role and access and can perform that action you need to do.


Microsoft help articles

Related articles

Still Need Help?

Ask CIT! Call, chat, or submit a request and we'll be happy to assist you.

585-245-5588 Chat   Submit a request