When PIM has been configured for an Azure AD Role, the user is required to activate the role before use.
The user activates the Azure AD Role by logging in to Azure AD Privileged Management.
In the following example, we’ll log in as adm.msk (the same user that was configured with PIM in this article) and activate the Azure AD Role.
Activating a PIM Role – Step-by-Step
Log in to the Azure Portal and go to the PIM management blade.
Select My roles, select Eligible assignments, identify the role you want to activate, and click Activate:
You can limit the amount of time you wish to activate the role.
For a minor change, 30 minutes may be enough. To start a workday filled with user management, you may want to select eight hours.
Type in a reason why you want to activate the role. This is used for logging the activity.
Once you click Activate, the role is activated. This may take a few seconds:
Reloading the web page will give you an overview of your roles, and you should be able to verify the role has now been activated:
The above guide demonstrated how an admin can activate an Azure AD role configured for PIM.
PIM will help you limit the amount of time when your admin accounts are able to perform privileged actions.
This will decrease the attack surface of your environment but with the cost of some administrative overhead.
Also, you’ll need the Azure AD Premium P2 license to be able to use PIM.