MS Entra ID Privileged Identity Management (PIM)

Permissions required for registering and configuring an app in Microsoft Entra ID.

The account must have permission to manage applications in Microsoft Entra ID. Ideally the account should be in the Global Admin role to grant admin consent.

To enforce just-in-time, least-privilege access to highly sensitive identity administration functions with Keycloak, Privileged Identity Management (PIM) is required. Keycloak is a tier-0 system; standing administrative access significantly increases blast radius and insider-risk. PIM ensures access is time-bound, auditable, and aligned with governance and compliance requirements without changing the authentication flow.

Configure MS Entra ID as an IdP in Keylcoak

To continue, it is expected that either the OIDC or SAML SSO has been completed:

Ensure Assignment required is enabled on the MS Entra application created above.
Prepare the admin group by selecting the tenant-admin group created previously in the OIDC or SAML article and remove all users from this group.
Assign the group to the application.
1. If you had used application roles, use the relevant guide to assign the tenant-admin group to the tenant-admin application role.
  1. Configure app roles to Spark user groups.
  2. Configure Entra ID app roles to Spark user groups.
2. If you had used groups directly, use the guide to assign the tenant-admin group directly to the application.
  1. Configure Entra ID groups to Spark user groups.

Configure PIM in MS Entra ID

Open Privileged Identity Management | Quick start.
Expand Manage → Groups.
Click Discover groups.
Search for the relevant internal group name.
Select the group and click Manage Groups.
Click OK to onboard the selected groups.
Navigate to Privileged Identity Management | Groups.
Select the onboarded group.
Expand Manage → Assignments.
Click Add assignment.
Select role Member.
Click Select member(s), add users, then click Next.
Set the assignment start and end dates.
Click Assign.

Test the PIM

Test without PIM

User must have permission to sign in to the MS Entra application.

Log in to Spark.
Verify you do not have tenant-admin permissions and your membership is user:pf only.
Sign out.

Test with PIM

User must have eligibility configured as part of Configure PIM in MS Entra ID.

Open Privileged Identity Management | Quick start.
In Activate just-in-time, click Activate.
Select Groups in the left pane.
Under Eligible assignments, activate your group
Select duration and provide a reason if required, then click Activate.
Log in to Spark.
Verify you have tenant-admin permissions and memberships user:pf and tenant-admin .

Demo video

This short video demonstrates the use of PIM for privileged access into a Spark tenant.

2MB

Coherent Spark Microsoft Entra ID PIM.mp4

Open

Last updated 1 day ago

hashtagConfigure MS Entra ID as an IdP in Keylcoak

hashtagConfigure PIM in MS Entra ID

hashtagTest the PIM

hashtagTest without PIM

hashtagTest with PIM

hashtagDemo video