Walk into most SMB tenants and check who holds Global Administrator. You’ll find at least one. Often three. Sometimes more. All permanent. All active. All the time.
That’s standing privilege. And it’s the biggest gift you can hand a token thief.
Most MSPs I talk to know about Privileged Identity Management. They’ve seen it in the Entra admin centre. They just don’t switch it on for clients, because they assume it’s an enterprise thing — too expensive, too complicated, too overkill for a 25-seat business.
Wrong on all three.
What is PIM, really?
PIM is just-in-time admin access. You stop being a Global Administrator all day every day, and start being eligible for it. When you need the role, you put yourself in for a fixed window, with a justification and a record. A few hours later it drops off. You’re back to a normal user.
That’s not least privilege as a slogan. That’s least privilege as a clock.
You can layer MFA on activation, approval workflows where one admin signs off on another’s elevation, and access reviews that quietly remind you each quarter that someone’s eligibility hasn’t been used in 90 days. All portal-driven. No scripts. Microsoft’s overview of PIM is worth a read, but the licensing point is the one that trips everyone up.
PIM needs Entra ID P2 or Entra ID Governance. That’s not in Business Premium. But — and this is the part MSPs miss — you only need to licence the admins, not every seat. Three admin accounts is your premium. Compare that to one incident.
Step-by-step: switching on PIM for Global Administrator
Run through this in the Entra admin centre. Sign in as a Global Administrator and licence the admin accounts you want under PIM first.
Park a break-glass account
Before touching a role, create a dedicated break-glass admin. Permanent active Global Administrator. Long random password in your password manager. Excluded from every Conditional Access policy. Document it somewhere you can find at 2am.
This is the one account PIM doesn’t touch. Skip this step and you’ll lock yourself out the first time MFA goes sideways.
Open ID Governance
ID Governance → Privileged Identity Management → Microsoft Entra roles → Roles.
Configure role settings for Global Administrator
Select Global Administrator → Role settings → Edit. Microsoft documents every option here; the ones that earn their keep look like this:
Activation maximum duration: 4 hours
Require MFA on activation: Yes
Require justification: Yes
Require approval to activate: Yes (2 approvers, not self)
Permanent eligible assignment: Disallowed
Notification on activation: All Global AdminsNotice what’s missing? PowerShell. None of this needs it.
Move existing GAs from active to eligible
Assignments → find each Global Administrator → use the assign roles flow to make them eligible instead. Same permissions — only when they ask for them.
Schedule an access review
Under Access reviews, set up a quarterly review of all eligible Global Administrators. Configure it to auto-remove on no response. The clients who think this is overkill are the clients who’ll have an ex-staffer with admin rights twelve months from now.
Why this actually changes behaviour
PIM isn’t a tool. It’s a posture. The second a Global Admin has to type a reason and wait for approval, two things happen — they stop using GA for the trivial stuff, and someone else sees every elevation.
“But our admins will hate this.”
They’ll hate it for a week. Then they’ll forget it’s there, because activation is two clicks. And the first time you can prove with an audit log that no privileged account was active during an incident, you’ll wonder how you ran tenants any other way.
A standing Global Admin is a key under the doormat. PIM is the locksmith.
If you’re not setting this up for your clients, you’re leaving the front door open and calling it security.
CIAOPS 