Privileged Identity Management is one of those features where the technical setup is easy and the organisational rollout is hard. This post is about the organisational part — the approval flows, the scoping, and the Break-Glass accounts that actually work.
Why PIM matters for small teams
Big orgs adopt PIM because compliance demands it. Small teams adopt it because at three admins, one leaked token is a tenant-wide incident. Just-in-time elevation turns a persistent-admin risk into a time-boxed risk, and that's usually enough to pass the threshold of "good enough."
Scope ruthlessly
The temptation is to put Global Admin behind PIM and call it done. Don't. Put everything behind PIM:
- Global Admin — 1 hour max, approval required.
- Privileged Role Administrator — 2 hours, approval required.
- Conditional Access Administrator — 4 hours, approval required.
- User Administrator, Exchange Admin, SharePoint Admin — 8 hours, approval optional.
- Helpdesk / Password Reset — 8 hours, no approval, logged.
Approval flows
The approver pool for the top tier should be at least two people who are not the requesting admin. For a two-person IT team, that's a problem — you need a designated business approver (usually a director or COO) who can approve out-of-band. Document this. Test it quarterly by having an admin request elevation at 10pm and timing how long the approval takes.
Break-Glass accounts
You need exactly two, and they need to be:
- Cloud-only, excluded from all CA policies except "require phishing-resistant MFA."
- Not enrolled in PIM (the whole point is that PIM could fail).
- Credentials stored in a physical safe, in two different buildings.
- Alerted on any sign-in via a separate monitoring rule that reaches someone's phone.
Print a one-page card: "If you are reading this, PIM is unavailable. Go to the safe. Retrieve envelope. Sign in. Fix the thing. Rotate credentials. File incident ticket." Laminate it. Keep one copy with each Break-Glass credential.