Least privilege that actually survives real life

Imagine you’re the person who gets paged when “someone needs admin access right now.” The request is always urgent. The blast radius is always unclear. And the only role that “just works” is usually global administrator.

That is the default failure mode of identity governance: not because people love risk, but because granularity is hard and operations are messy.

Using custom roles and pim in entra id is Microsoft’s most practical answer to that problem: you define exactly what an operator can do, then you gate it behind just-in-time activation, with mfa, justification, approvals, and time limits. PIM explicitly supports built-in and custom Microsoft Entra roles, so you can stop choosing between “too much access” and “no access.”

This article goes beyond the surface “click here, click there” tutorial. We’ll break down the mechanics, the hidden constraints that shape your design, and a technical “hero” section you can use as an implementation blueprint. We’ll also incorporate field learnings (the stuff that shows up in admin blogs, scripts, and forum threads when the portal UI isn’t enough).

---

what the simple explanation misses

At a high level, everyone explains it like this:

• Create a custom role with specific permissions.
• Make users eligible for that role in pim.
• Require mfa / justification / approval for activation.
• The role expires automatically after a short duration. (Azure Docs)

That’s correct. It’s also incomplete.

What’s missing is the why: why you should prefer custom roles over built-in roles in specific cases, and why PIM changes the operating model of administration (not just the assignment model).

The superficial view treats roles as static “permission bundles.” The deeper view is:

a role is an interface to a control plane. pim turns that interface into a time-bound, audited transaction.

Once you see it this way, design decisions become clearer:

• You stop optimizing for “can the admin do the task?”
• You start optimizing for “can the admin do the task safely, provably, and repeatably under stress?”

That difference is where mature tenants separate from chaotic tenants.

---

Basically,

1) least privilege is not a role; it’s a boundary

“Least privilege” is only meaningful if you can draw a boundary around actions. In Entra ID, boundaries typically align to:

• directory-wide actions (tenant scope)
• administrative units (scope containment)
• application registration or enterprise app scope (limited resource scope)

Custom roles in Entra can be created for directory scope or app registration resource scope (and there are custom-role patterns for enterprise app management as well).

Implication: If you can’t scope a role to the boundary you want, you can’t claim least privilege—you can only claim “less privilege than global admin.”

2) pim’s real value is “transactional privilege”

PIM isn’t just “temporary admin.” It enforces friction and traceability:

• activation is an explicit action
• it can require mfa, a ticket number, justification
• it can require approver decisions
• it produces audit artifacts tied to the activation window

Implication: PIM is a control mechanism. Custom roles are a precision mechanism. You want both.

3) operations always route around controls unless the controls are usable

This is the part you see repeatedly in practitioner write-ups and scripts:

• admins automate PIM assignments and activation tracking via Microsoft Graph / PowerShell because portal-only workflows don’t scale
• service principals and automation identities often fail because Entra role/PIM permissions are not the same as Azure subscription RBAC permissions (Stack Overflow)

Implication: If you don’t design for the ops reality (automation, approvals, monitoring), users will push for permanent broad roles again.

---

where custom roles are worth it (and where they aren’t)

Custom roles shine when you have:

• repeatable operational duties that don’t justify full admin roles (helpdesk resets with constraints, app assignment operators, limited user lifecycle actions)
• segregation of duties requirements (e.g., the person who can manage users shouldn’t be able to manage conditional access)
• blast-radius control for sensitive resources (app registrations, enterprise app assignments)

Microsoft’s role-based access control overview makes the key point: built-in and custom roles exist to grant granular permissions aligned to least privilege.

Custom roles are not worth it when:

• the task set changes weekly (you’ll churn role definitions constantly)
• you need permissions that are not available in the directory role permission model
• you actually need the built-in role because Microsoft tied hidden service behaviors to it (this happens in some workloads; treat custom roles as “surgical,” not universal)

When you hit limitations outside Entra directory roles (for example, certain service-specific RBAC models), many practitioners shift to PIM for Groups as a workaround pattern for JIT access across workloads. (Microsoft Learn)

---

The real design patterns that work in mature tenants

pattern 1: “operator roles” mapped to runbooks

You create roles that match how work is done:

• “enterprise app assignment operator”
• “password reset operator (restricted)”
• “identity lifecycle operator (joiner/mover/leaver)”

Then you attach:

• a runbook
• a maximum activation duration
• required justification format (ticket ID)
• approvers aligned to change-management

This makes the role auditable and teachable.

pattern 2: split “configuration” from “execution”

A classic failure: one role allows both configuring security policy and executing privileged actions. Split them:

• role A: configure the guardrail (policy admins)
• role B: perform bounded operational actions (operators)

Then PIM each separately. In an incident, you can grant execution without granting policy mutation.

pattern 3: group-based eligibility for scale

Even when assigning Entra roles, many orgs prefer controlling “who can become eligible” via group membership that is itself governed. PIM for Groups exists specifically to grant JIT membership/ownership of groups used across multiple access-control systems.

pattern 4: treat role definitions like code

This is where advanced teams go:

• role definition stored as JSON (or documented Graph payload)
• change history tracked
• approvals for role-definition edits
• periodic access reviews for role eligibility

Even if you don’t fully “IaC” it on day one, you can design toward it.

---

Implementation blueprint (custom role + pim)

This is the straight-through, implementation-focused core. The goal is to produce a custom Entra role that is eligible via PIM, with activation controls and auditability, and to do it in a way that survives production constraints.

prerequisites and control-plane access

1. licensing

• Custom roles and PIM capabilities depend on Entra licensing tiers; many advanced governance features are associated with Entra ID P1/P2 in Microsoft documentation and labs, and PIM for Groups is commonly referenced with P2 in practitioner resources. Validate your tenant’s licensing before designing your governance model.

2. who can do what

• To manage role settings and assignments in PIM, you typically need Privileged Role Administrator (or equivalent privileged role). Microsoft’s role settings doc calls out that you must have at least Privileged Role Administrator to manage PIM role settings for Entra roles.

3. define the scope boundary first
   Before you create anything, decide:

• directory-wide scope vs administrative unit vs application scope
• whether the role should apply tenant-wide or to specific resource objects

Microsoft’s role assignment guidance explicitly highlights tenant, application registration, and administrative unit scopes in Entra role assignments.

---

step 1: design the custom role as a “minimal action set”

Start from tasks, not permissions. Example task: “App assignment operator can assign users/groups to enterprise apps, but cannot modify conditional access or create app registrations.”

Microsoft provides a custom-role path specifically for managing enterprise app assignments. That’s a strong baseline pattern because it’s narrowly scoped to a common operational need.

Practical method:

• Identify the smallest built-in role that almost matches.
• Enumerate the extra permissions you do not want.
• Build your custom role by selecting only required permissions.

If you’re creating a directory-level custom role in Entra, Microsoft documents that it can be assigned at directory-level scope or app registration resource scope only.

Key rule: if the permission model cannot express your boundary, do not pretend it does. Use a different governance approach (often: role-assignable groups + PIM for Groups, or workload-native RBAC).

---

step 2: create the custom role in Entra

In the Microsoft Entra admin center:

• go to roles and admins
• create a new custom role
• select permissions aligned to the minimal action set
• assign scopes appropriately (directory scope or app resource scope, where supported)

Operational tip: use naming conventions that encode intent and scope, for example:

• op - enterprise app assignments - prod
• op - user lifecycle - au:emea

This matters later when you have dozens of custom roles and multiple approval workflows.

---

step 3: onboard the custom role into pim (eligible assignment)

PIM supports built-in and custom Entra roles, and the assignment workflow is the same:

• open identity governance → privileged identity management
• choose Microsoft Entra roles
• add assignments
• pick your custom role
• assign user/group as eligible (not active/permanent)

Hard edge: role assignments in PIM have timing constraints (for example, Microsoft notes minimum assignment duration and a short window where removal isn’t allowed). These are small, but they matter in automation and emergency response runbooks.

---

step 4: configure role settings (the real governance)

This is where most implementations become “real” instead of “checkbox secure.”

For the custom role, configure:

1. activation requirements

• require mfa
• require justification (use a standard format: INC123456 or CHG123456)
• consider requiring a ticket or “reason” field

2. approval workflow

• require approval for activation of high-impact roles
• define approvers (ideally: a small on-call approver group)

3. duration

• set maximum activation duration (commonly 1–4 hours for operators)
• shorter duration reduces exposure but increases re-activation friction

4. notifications

• notify security team and/or role owners on activation
• notify on “eligible assignment added”

Microsoft’s role settings documentation explicitly enumerates these controls (mfa, approval, duration limits, notifications) and clarifies they are defined per role.

Design guidance from first principles:

• If the action is reversible and low impact, reduce approvals and rely on audit.
• If the action can change security posture or exfiltrate data, require approval and tighter duration.
• If the action is emergency-response critical, create a separate “break glass” pathway (see step 7).

---

step 5: validate end-to-end with a “task-based” test

Do not validate by “the role activates.”

Validate by running the exact tasks the role exists for:

• can the operator do the required task in the portal and via API?
• do they fail cleanly on tasks that should be forbidden?
• does the activation leave auditable traces?

Also validate the user experience:

• is the activation process quick enough for incident response?
• do approvers receive actionable notifications?

Microsoft documents the activation flow for eligible admins: eligible users must activate when needed, then permissions expire after.

---

step 6: automate reporting and governance (what mature teams actually do)

Portal views are fine until you have:

• 40 roles
• 120 eligible assignments
• quarterly audit requirements

This is where admin blogs and scripts show up: teams report on Entra role assignments including PIM eligibility and activations using Graph-based PowerShell.

A practical approach:

• build a weekly export of:
  • permanent assignments
  • eligible assignments
  • activation history
• alert on:
  • unexpected permanent assignments
  • activations outside business hours (unless explicitly allowed)
  • approval bypasses (if any)

If you’re automating assignments, be careful about the common confusion: Entra directory role assignment and Azure subscription RBAC are different, and automation identities need the correct Entra-side privileges. This shows up repeatedly in Q&A threads when cmdlets fail unexpectedly. (Stack Overflow)

---

step 7: handle the “break glass” reality without destroying your model

Every serious tenant needs emergency access. But “emergency” is the easiest excuse for permanent global admin.

A strong pattern:

• keep 1–2 break-glass accounts with permanent privileges, protected with:
  • phishing-resistant MFA
  • monitored sign-in alerts
  • stored credentials in a secure vault
• for humans, use PIM:
  • create a high-privilege role path with strict approval
  • but allow a fast-track approver group for incidents

PIM’s value is strongest when emergency operations still produce a tight audit trail with explicit activation windows.

---

where forum reality changes the strategy: pim for groups as the “universal jit adapter”

In practice, admins often face workloads where directory roles aren’t the right control plane, or where custom roles don’t map well. That’s why PIM for Groups matters: it enables just-in-time membership/ownership for groups that control access to many systems, including Entra roles, Azure roles, Intune, and third-party apps.

Many “how do I use PIM with X” posts converge on the same idea:

• if the workload supports group-based authorization, then:
  • create a role-assignable group (where needed)
  • assign that group to the workload role
  • use PIM for Groups to make membership JIT (azurehero.de)

This is the pragmatic, cross-service approach. It’s not “pure” directory roles—but it’s often the only model that scales across Microsoft 365 workloads.

---

Key takeaways that will still be true a year from now

• custom roles give you precision; pim gives you control. Use both or you’ll end up back at global admin.
• Don’t design roles from permission lists. Design them from runbooks and operational duties.
• The quality of your implementation is mainly determined by:
  • scope boundaries
  • activation policy (mfa, approval, duration)
  • reporting/audit readiness
• When directory roles aren’t the right lever, PIM for Groups becomes the universal JIT adapter across workloads.