# MS Entra ID Privileged Identity Management (PIM)

<details>

<summary>Permissions required for registering and configuring an app in Microsoft Entra ID.</summary>

The account must have permission to manage applications in Microsoft Entra ID. Ideally the account should be in the Global Admin role to grant admin consent.

</details>

To enforce just-in-time, least-privilege access to highly sensitive identity administration functions with Keycloak, Privileged Identity Management (PIM) is required. Keycloak is a tier-0 system; standing administrative access significantly increases blast radius and insider-risk. PIM ensures access is time-bound, auditable, and aligned with governance and compliance requirements without changing the authentication flow.

## Configure MS Entra ID as an IdP in Keylcoak

1. To continue, it is expected that either the OIDC or SAML SSO has been completed:

* [MS Entra ID (OIDC)](/identity-and-access-management/single-sign-on/ms-entra-id-oidc.md)
* [MS Entra ID (SAML v2.0)](/identity-and-access-management/single-sign-on/ms-entra-id-saml-v2.0.md)

2. Ensure **Assignment required** is enabled on the MS Entra application created above.
3. Prepare the admin group by selecting the **`tenant-admin`** group created previously in the OIDC or SAML article and remove all users from this group.
4. Assign the group to the application.
   1. If you had used application roles, use the relevant guide to assign the `tenant-admin` group to the `tenant-admin` application role.
      1. [MS Entra ID (OIDC)](/identity-and-access-management/single-sign-on/ms-entra-id-oidc.md#configure-app-roles-to-spark-user-groups).
      2. [MS Entra ID (SAML v2.0)](/identity-and-access-management/single-sign-on/ms-entra-id-saml-v2.0.md#configure-entra-id-app-roles-to-spark-user-groups).
   2. If you had used groups directly, use the guide to assign the `tenant-admin` group directly to the application.
      1. [MS Entra ID (SAML v2.0)](/identity-and-access-management/single-sign-on/ms-entra-id-saml-v2.0.md#configure-entra-id-groups-to-spark-user-groups).

## Configure PIM in MS Entra ID

1. Open [Privileged Identity Management | Quick start](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/CommonMenuBlade/~/quickStart).
2. Expand *Manage* → *Groups*.
3. Click *Discover groups*.
4. Search for the relevant internal group name.
5. Select the group and click **Manage Groups**.
6. Click **OK** to onboard the selected groups.
7. Navigate to [Privileged Identity Management | Groups](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/CommonMenuBlade/~/aadgroup).
8. Select the onboarded group.
9. Expand *Manage* → *Assignments*.
10. Click **Add assignment**.
11. Select role Member.
12. Click **Select member(s)**, add users, then click **Next**.
13. Set the assignment start and end dates.
14. Click **Assign**.

## Test the PIM

### Test without PIM

{% hint style="info" %}
User must have permission to sign in to the MS Entra application.
{% endhint %}

1. Log in to Spark.
2. Verify you **do not** have `tenant-admin` permissions and your membership is `user:pf` only.
3. Sign out.

### Test with PIM

{% hint style="info" %}
User must have eligibility configured as part of [#configure-pim-in-ms-entra-id](#configure-pim-in-ms-entra-id "mention").
{% endhint %}

1. Open [Privileged Identity Management | Quick start](https://portal.azure.com/#view/Microsoft_Azure_PIMCommon/CommonMenuBlade/~/quickStart).
2. In *Activate just-in-time*, click **Activate**.
3. Select *Groups* in the left pane.
4. Under *Eligible assignments*, activate your group
5. Select duration and provide a reason if required, then click **Activate**.
6. Log in to Spark.
7. Verify you have `tenant-admin` permissions and memberships `user:pf` and `tenant-admin` .

## Demo video

This short video demonstrates the use of PIM for privileged access into a Spark tenant.

{% file src="/files/jFnboegEIHOEHGZ9Uv4i" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.coherent.global/identity-and-access-management/single-sign-on/ms-entra-id-privileged-identity-management-pim.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.