We’ve been implementing PIM for years. As consultants, we do the design, the configuration, the training, and then we leave. We’re not there week after week watching how people use it.
Now, after doing multiple PIM review projects, we see a pattern.
The move from active to eligible looks good on paper. Everyone’s happy. Checkbox checked. Audit passed.
But when you start looking at the data, you see problems.
The justification box became a garbage box
We see justifications like “work“, “daily work“, “working“, or just “.“.
Meanwhile, the same people have tickets in Jira or ServiceNow. But there’s no connection between what they’re requesting in PIM and what they’re actually working on. The Entra ID audit logs and your ticketing system are completely out of sync.
This means you have zero visibility into why people are activating permissions.
Are they misusing the bigger permissions? Are they activating Owner or Contributor every day but just reading data? Are new hires typing “.” because nobody trained them? You don’t know.
Random justifications + maximum activation durations = no insights. You can’t tell if processes need to change, if people need different permissions, or if additional tools are needed.
And then there’s the resistance
In some cases, implementing PIM is hard not because of the technology but because people are used to having 24/7 high permissions. They’ve had Owner or Global Admin for years. Now you’re telling them to activate when they need it.
Some will push back. Some will say PIM is BS. Some will fight the change.
This is why I’ve always said: it’s not about moving from active to eligible. It’s about training and educating people before and along the way so they understand what it means to operate with lesser permissions, why it matters, and how to work with it instead of against it.
If you skip that part, you get garbage justifications and people treating PIM as an annoyance to click through.
Entra PIM Coach
Last year I started building a PIM workbook. From there, based on customer projects, we built something bigger, a solution called PIM Coach.
PIM Coach has two parts:
- Permissions Analysis: Full Azure and Entra ID permissions including PIM role settings
- Activation Scoring: We collect all PIM activations weekly and score them. Week by week, you see patterns. Are things improving? Did new hires come in without proper training? Is someone activating high-privilege roles daily when they only need read access?
The goal is to understand your PIM culture, not to treat PIM as a checkbox in Excel, but to be proactive about how privileged access is used in your organization.
Want to learn more?
I’m running a free webinar where I’ll walk through this in detail, what we’ve seen, how the scoring works, and what you can do about it.
Register for the PIM Coach Webinar
Or if you want to talk about your specific situation, reach out directly.
See our product page for Microsoft Entra PIM Coach