# Implementing Privileged Identity Management (PIM) with RealmJoin Portal ### Overview This guide walks you through implementing Microsoft Entra ID Privileged Identity Management (PIM) for Groups with RealmJoin Portal administrative access. PIM provides just-in-time administrative access, reducing security risks by requiring users to activate their privileged roles when needed. By implementing PIM with RealmJoin, administrators must explicitly activate their admin privileges for a defined time period, creating an audit trail and reducing the attack surface of persistent administrative access. ### Prerequisites * Microsoft Entra ID P2 licensing for users requiring PIM access * Global Administrator or Privileged Role Administrator permissions * Access to RealmJoin Portal configuration * Understanding of Microsoft Entra ID Groups and role assignments ### Implementation Steps #### Step 1: Create Role-Assignable Groups Create two security groups in Microsoft Entra ID. While the "role-assignable" attribute is no longer a strict prerequisite, it remains recommended for optimal PIM functionality. **Group 1: Eligibility Group** * **Name**: `sec - PIM-Eligibility - RealmJoin Portal - Admins` * **Purpose**: Contains users eligible for RealmJoin admin access * **Type**: Security Group * **Role-assignable**: Recommended (Yes) **Group 2: Active Admin Group** * **Name**: `sec - PIM-Enabled - RealmJoin Portal - Admins` * **Purpose**: The target group that provides actual RealmJoin admin permissions * **Type**: Security Group * **Role-assignable**: Recommended (Yes) #### Step 2: Configure PIM for Groups **Enable PIM for Groups** 1. Navigate to **Microsoft Entra ID** > **Privileged Identity Management** 2. Select **Groups** from the left navigation pane 3. Choose **Discover groups** to identify groups eligible for PIM management 4. Select your newly created groups to bring them under PIM control For detailed configuration steps, refer to the official Microsoft documentation: * [Privileged Identity Management (PIM) for Groups Overview](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/concept-pim-for-groups) * [Bring groups into Privileged Identity Management](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/groups-discover-groups) **Configure Group Settings** 1. Set activation duration (recommended: 1-8 hours) 2. Configure approval requirements if needed 3. Define activation requirements (MFA, business justification) 4. Set maximum activation duration policies #### Step 3: Assign Eligibility Configure user eligibility for the PIM-enabled group: 1. In PIM, navigate to **Groups** > **Assignments** 2. Select the `sec - PIM-Enabled - RealmJoin Portal - Admins` group 3. Choose **Add assignments** 4. Select **Eligible** assignment type 5. Choose users or the eligibility group (`sec - PIM-Eligibility - RealmJoin Portal - Admins`) 6. Set assignment duration and schedule as required For comprehensive assignment guidance, see: [Assign eligibility for a group in Privileged Identity Management](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/groups-assign-member-owner) ### Configuration Logic #### User Management Workflow 1. **Add Users to Eligibility Group**: Add user accounts to `sec - PIM-Eligibility - RealmJoin Portal - Admins` * This group serves as the source of users who can request admin access * Users in this group can activate membership in the PIM-enabled group 2. **Configure RealmJoin Portal**: Set `sec - PIM-Enabled - RealmJoin Portal - Admins` as the administrative group in RealmJoin Portal settings * Only active members of this group will have admin permissions * Users must activate their membership through PIM to gain access #### Access Activation Process When users need RealmJoin admin access: 1. User navigates to **My Access** portal or PIM interface 2. Requests activation of membership in `sec - PIM-Enabled - RealmJoin Portal - Admins` 3. Provides business justification (if required) 4. Completes MFA challenge (if configured) 5. Receives time-limited admin access to RealmJoin Portal 6. Access automatically expires after the defined duration ### Security Benefits * **Just-in-Time Access**: Admin privileges are granted only when needed * **Audit Trail**: All activation requests and approvals are logged * **Reduced Attack Surface**: Fewer persistent admin accounts * **Compliance**: Supports regulatory requirements for privileged access management * **Controlled Duration**: Admin access automatically expires * **Approval Workflows**: Optional approval processes for sensitive roles ### Best Practices * **Regular Access Reviews**: Periodically review group memberships and PIM assignments * **Appropriate Duration**: Set activation periods based on typical admin task duration * **MFA Enforcement**: Always require multi-factor authentication for activation * **Business Justification**: Require users to provide reasons for access requests * **Monitoring**: Regularly review PIM audit logs for unusual activation patterns * **Documentation**: Maintain clear procedures for emergency access scenarios ### Troubleshooting #### Common Issues * **Users cannot see activation option**: Verify PIM licensing and group assignments * **Activation fails**: Check MFA setup and approval workflow configuration * **RealmJoin access denied**: Confirm the correct group is configured in RealmJoin Portal settings #### Verification Steps 1. Test the activation process with a pilot user 2. Verify RealmJoin Portal recognizes the PIM-enabled group 3. Confirm audit logging is working correctly 4. Test emergency access procedures ### Additional Resources * [Microsoft Entra ID Governance Documentation](https://learn.microsoft.com/en-us/entra/id-governance/) * [PIM Best Practices](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-deployment-plan) * [RealmJoin Portal Documentation](https://docs.realmjoin.com/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.realmjoin.com/realmjoin-settings/permission/implementing-privileged-identity-management-pim-with-realmjoin-portal.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.