AzureAD PIM – how to setup a privileged role – Cloud First
You first need to configure AzureAD PIM – see my former post How to setup Azure AD Privileged Identity Management (PIM)
In this post I will show how to use AzureAD PIM to give temporary Global Admin Access to a user. There is different build-in privileged roles:
AdHoc License Administrator Billing Administartor Compliance Administartor Directory Readers Directory Writers Emain Verified User Creator Exchange Administrator Global Administrator Mailbox Administrator Partner Tier1 Support Partner Tier2 Support Password Administrator Privileged Role Administrator Security Administrator Security Reader Service Administrator SharePoint Service Administrator Skype for Business Administrator User Administrator
Workplace Device Join
How to assign a user a privileged role
Select Global Administrator
Select Add to find a user in the AzureAD
Select Users
- Search your user
- Select your user
- Select Done
And now my [email protected] is eligible to request temporary Global Admin Access
Now how does a user request his temporary Global Admin:
First login to the https://portal.azure.com
Start the Privileged Identity management
Select Global Administrator – Request activation
The first time you need verify your permission to PIM (remember that the your needs a Azure AD Premium license for this)
Setup this account for additional security verification
I selected “Call me” – the Azure Phone service is calling my phone when I select Contact me
I answer my phone and press #
Then I can select Done
Now I have access to Activate my request to be a temporary Global Admin
The enter a reason for role activation
Select Ok
Because I have change the default expiration time from 1 hour to 8 hours I now have Global Admin rights in 8 hours
Then for the next 8 hours I can login to https:portal.office.com with global admin rights
How does this looks like from a Admin perspective:
We need to be able to track who, when and why a users have gained Privileged Access.
Login to http//portal.azure.com as you PIM administrator.
Look at your global Admin’s then you can see that a new user have access and have a expiration time.
Select Audit history at the front page of the PIM service
Then you can see that the user have requested temporary global admin rights and the reason why.
I will be a back with more post about PIM at a later point.
Remember that this is Just-In-Time admin access – this is a very secure way only to have admin access when is it needed. So if the credentials are compromise then it is only a normal user.
![Windows-Hello-For-Business-Active-Directory[1]](https://maciejrebisz.com/wp-content/uploads/2025/08/Windows-Hello-For-Business-Active-Directory1-1024x576-65x65.png "Windows-Hello-For-Business-Active-Directory[1]")
![B-Intune-Graphic[1]](https://maciejrebisz.com/wp-content/uploads/2025/08/B-Intune-Graphic1-1024x603-65x65.png "B-Intune-Graphic[1]")
![wp-1593849019379[1]](https://maciejrebisz.com/wp-content/uploads/2025/08/wp-15938490193791-65x65.jpg "wp-1593849019379[1]")