What PIM Does and Why Licensing Gets Complicated
Privileged Identity Management (PIM) is one of the most operationally impactful identity controls available in the Microsoft security stack. It eliminates standing privileged access — the condition where administrators hold Global Admin, Privileged Role Administrator, or other high-privilege roles continuously, 24 hours a day. Instead, PIM provides just-in-time (JIT) access: administrators request elevation, receive time-limited approval, complete their task, and return to standard user status.
The security rationale is compelling. The majority of identity-based attacks — including the most damaging supply chain and ransomware incidents — exploit standing privileged accounts. An attacker who compromises a Global Admin with persistent standing access has unlimited time to act. An attacker who compromises a PIM-managed account gets nothing useful unless they can also trigger the JIT approval workflow.
Where the licensing complicates matters: PIM requires Entra ID P2 (formerly Azure AD Premium P2) or the newer Entra ID Governance licence. It is not available in Entra P1, and it is not included in M365 E3. For organisations on E3 who want PIM, there is a licensing gap that requires a deliberate decision.
This guide covers PIM capabilities, the licencing requirements in full, how to scope who actually needs the licence, and how to negotiate PIM-inclusive pricing into your EA without being pushed towards a full tenant-wide E5 upgrade.
Key stat: 78% of investigated identity breaches in enterprise environments involve compromised accounts with standing privileged access. PIM eliminates standing privilege — but organisations routinely defer it due to perceived licensing cost. The actual cost for a 50-admin PIM deployment is approximately £2,100–3,500 per year. The risk it mitigates is orders of magnitude larger.
PIM Capabilities: What You Get
PIM in Microsoft Entra provides the following capabilities across Entra ID roles, Azure resource roles, and (with Governance licence) group-based privileged access:
| PIM Capability | Description | Required Licence |
|---|---|---|
| JIT activation for Entra ID roles | Eligible assignment for Global Admin, Privileged Role Admin, and all Entra built-in roles. Time-limited activation (1–8 hours configurable). | Entra P2 |
| JIT activation for Azure resource roles | Eligible assignment for Subscription Owner, Contributor, Resource Group-level roles in Azure. Requires Azure RBAC. | Entra P2 |
| Approval workflows | Require one or more designated approvers before privilege elevation is granted. Supports email notification and Teams integration. | Entra P2 |
| MFA on activation | Require MFA challenge at time of PIM activation, regardless of existing session state. Critical for break-glass scenario prevention. | Entra P2 |
| Activation reason and justification | Require administrators to provide a business justification at time of activation. Logged to Entra audit log. | Entra P2 |
| Access reviews for privileged roles | Periodic reviews (weekly/monthly/quarterly) of who holds eligible or active privileged assignments. Requires designated reviewers. | Entra P2 |
| Activation notifications and alerts | Real-time alerts when privileged roles are activated, new eligible assignments created, or policy changes detected. | Entra P2 |
| PIM for Groups | Extend JIT access to any Entra security group — enables JIT access to resources governed by group membership (not just Entra roles). | Entra ID Governance |
| Lifecycle Workflows integration | Automate JIT provisioning as part of joiner/mover/leaver workflows. | Entra ID Governance |
| Role assignment history and audit export | Full audit trail of all PIM activations, approvals, denials, and assignment changes. Exportable to Log Analytics / Sentinel. | Entra P2 (history); Sentinel for retention |
Licensing Requirements: P1 vs P2 vs Governance
The three Entra licence tiers have a structured relationship that is frequently misrepresented in Microsoft sales conversations:
| Licence | PIM Available? | Approximate EA Price | Included In |
|---|---|---|---|
| Entra ID Free | No | Free | All M365 plans (basic Entra features only) |
| Entra ID P1 | No | ~£5.10/user/month | M365 E3, M365 Business Premium, EMS E3 |
| Entra ID P2 | Yes (all core PIM capabilities) | ~£7.70/user/month | M365 E5, EMS E5, E5 Security add-on |
| Entra ID Governance | Yes (P2 features + PIM for Groups + Lifecycle Workflows) | ~£7.00–7.50/user/month (add-on over P1) | Standalone add-on; not included in any M365 bundle |
The critical point: Entra P1 does not include PIM. Organisations on M365 E3 have Entra P1 included — which provides Conditional Access, hybrid identity, dynamic groups, and SSPR — but does not provide PIM. To use PIM on E3, you must either purchase Entra P2 (or Entra ID Governance) as an add-on for the users who need it, or upgrade to M365 E5.
Who Needs to Be Licensed for PIM?
This is the most commercially important question in PIM licensing. Microsoft's licensing requirement is that every user who benefits from PIM must hold an Entra P2 or Governance licence. The definition of "benefit" includes:
Users who hold eligible role assignments (the privileged admins), users who serve as approvers in PIM activation workflows, and users who are reviewed in PIM access reviews.
It explicitly does not require the entire tenant to be licensed. A 5,000-user organisation with 40 IT administrators who use PIM, 10 approvers, and quarterly access reviews covering those 50 people needs approximately 50–60 Entra P2 licences — not 5,000.
Commercial principle: PIM licensing scales to the size of your privileged population, not your total workforce. For most enterprises, this is 1–3% of total users. The common Microsoft account team framing of "PIM requires E5 for all users" is commercially inaccurate.
Entra P2 vs Entra ID Governance: The PIM Decision
Both Entra P2 and Entra ID Governance provide core PIM capabilities. The decision between them turns on whether you need PIM for Groups and Lifecycle Workflows.
Choose Entra P2 when:
You need JIT access for Entra ID roles (Global Admin, etc.) and Azure resource roles. Your approval workflows and access reviews are straightforward. You do not need to extend JIT to arbitrary group membership beyond Entra roles. Entra P2 is the right choice for the majority of PIM deployments — particularly where the primary use case is locking down Global Admin and other Entra built-in roles.
Choose Entra ID Governance when:
You need PIM for Groups — the ability to make group membership itself a just-in-time assignment. This is valuable when privileged access is controlled through group membership rather than direct role assignment (common in organisations that use groups to govern SharePoint permissions, Exchange send-as rights, or Azure resource access). Governance also includes full Lifecycle Workflows for automated JML (joiners/movers/leavers) processing, which may be a separate driver for the purchase. Entra ID Governance at approximately £7/user/month represents better value than P2 at £7.70/user/month if you will use the Lifecycle Workflows component, since the combined functionality is broader at a slightly lower per-unit cost in EA pricing.
PIM and the E5 Bundle Calculation
Microsoft's account teams frequently use PIM as a driver for E5 or E5 Security proposals. The argument is that "PIM is better with the full security stack." This is partially true — PIM integrated with Entra ID Protection (P2), Defender for Identity, and Sentinel provides a more complete privileged access management picture. But the commercial argument requires scrutiny.
The E5 Security add-on costs approximately £10/user/month over E3 and provides Entra P2 alongside MDE P2, MDO P2, MDI, and MDCA. For the specific use case of PIM-for-privileged-admins, purchasing Entra P2 at £7.70/user/month for 50 admin users costs approximately £4,600/year. Purchasing E5 Security for those same 50 users costs approximately £6,000/year — a modest premium that brings the full XDR stack for those users.
Where the commercial analysis breaks down is when the proposal becomes "buy E5 Security for 2,000 users because 50 need PIM." That costs £240,000/year for XDR capabilities deployed to 1,950 users who do not need PIM. The correct answer for this scenario is scoped Entra P2 or Governance for the privileged population, not a tenant-wide E5 upgrade.
| Scenario | Appropriate Licence Choice | Annual Cost (50 admin users) |
|---|---|---|
| PIM for Entra roles only, E3 tenant | Entra P2 add-on for 50 admin users | ~£4,620/year |
| PIM + PIM for Groups + Lifecycle Workflows | Entra ID Governance for 50 admin users | ~£4,200/year |
| PIM + full XDR stack for IT team | E5 Security add-on for 50 admin users | ~£6,000/year |
| E5 Security for entire 2,000-user tenant to enable PIM | Commercial overkill for PIM use case | ~£240,000/year |
Identifying Your PIM Scope
Before purchasing any licence, run the Entra privileged access audit. In the Microsoft Entra admin centre, navigate to Roles and administrators to enumerate all current role assignments. The roles that should be managed through PIM in every enterprise organisation are as follows.
Entra ID roles requiring PIM: Global Administrator, Privileged Role Administrator, Privileged Authentication Administrator, User Administrator, Exchange Administrator, SharePoint Administrator, Teams Administrator, Conditional Access Administrator, Security Administrator, and any custom roles with write access to sensitive configurations.
Azure resource roles requiring PIM: Subscription Owner, Contributor at subscription level, User Access Administrator, and any custom roles with write access to production workloads.
A typical 2,000-user enterprise has between 20 and 60 individuals who should be managed through PIM. Often, the initial audit reveals significantly more standing privileged assignments than IT leadership expected — a common finding is 2–4x the anticipated count, due to project assignments, emergency access accounts, and historic role grants that were never revoked.
Break-glass accounts: PIM does not prevent the use of break-glass emergency access accounts, which should exist outside PIM with standing Global Admin access, stored in secure offline credentials, and monitored by alerting. Licensing break-glass accounts under Entra P2 ensures their activity is visible in PIM audit logs. Do not attempt to manage break-glass accounts through PIM itself — this creates a circular dependency during emergency scenarios.
PIM for Azure Resources: The DevOps Intersection
PIM for Azure resource roles (Subscription Owner, Contributor, etc.) is frequently the more impactful deployment in cloud-first organisations. Developer and DevOps teams routinely hold standing Contributor or Owner access to production subscriptions — often because the access was granted for an incident or deployment and never revoked.
From a licensing perspective, developers who hold eligible (not standing) Azure resource assignments via PIM need Entra P2. If your developer population is already on M365 E3 (Entra P1), and they require PIM-managed Azure access, you need Entra P2 add-ons for those developers — or you can include them in a scoped E5 Security upgrade if the economics make sense at that volume.
The practical scope for a DevOps team: typically 15–30 individuals who need JIT access to production subscriptions. Entra P2 for this population at £7.70/user/month is approximately £1,400–2,800/year — a modest cost for a significant security control over production infrastructure.
Conditional Access and PIM: The Integration Point
PIM and Conditional Access (CA) work together, and understanding the interaction prevents both gaps and over-purchasing. Conditional Access (available in Entra P1, included in E3) can enforce MFA and compliant device requirements for all access, including access to privileged roles. PIM adds the JIT layer on top: even if someone passes CA controls, they still cannot use elevated permissions until they explicitly activate through PIM.
The common configuration error is assuming that MFA via Conditional Access provides equivalent protection to PIM. It does not. CA controls access to the application — PIM controls access to the privilege. An administrator who passes CA and receives a token for the Entra admin portal still has standing Global Admin if PIM is not in place. PIM removes the privilege itself, not just the authentication barrier.
EA Negotiation Strategy for PIM Licensing
1. Run the Privileged Access Audit First
Before any conversation with your Microsoft account team about PIM licensing, complete the Entra role assignment audit. Know your exact privileged user count — both for Entra ID roles and Azure resource roles. This gives you the commercial anchor: "We need PIM for 47 users, not 2,000." It is significantly harder for Microsoft to propose a tenant-wide E5 upgrade when you can demonstrate a precise, documented privileged user count.
2. Scoped Entra P2 vs E5 Security: Know the Crossover
For the privileged population, the crossover between "Entra P2 add-on" and "E5 Security for these users" depends on whether those same users benefit from the full XDR stack (MDE P2, MDO P2, MDI). For IT security team members who are both privileged administrators and SOC analysts, E5 Security may genuinely deliver better value. For application administrators who do not operate in the security function, scoped Entra P2 is the right choice.
3. Use PIM Deployment as a Negotiating Signal
Committing to PIM deployment — even at scoped Entra P2 level — signals security maturity to Microsoft. Security-mature customers are lower audit risk and higher-value renewal targets. Use this signal as part of a broader negotiation: "We are deploying PIM, implementing Conditional Access for all admin roles, and extending our governance programme — and we expect that commitment to be reflected in our renewal pricing." This framing is more effective than a pure price negotiation.
4. Include PIM Licences in the EA, Not as Add-ons
Scoped Entra P2 or Governance licences purchased as EA line items attract better pricing than standalone add-on purchases made outside a renewal. If your EA renewal is approaching, include the privileged user count as an explicit line item with a negotiated price rather than deferring to a mid-term add-on purchase. EA discount on Entra P2 at meaningful volume (50+ seats) can be 15–25% below standard list pricing.
Common PIM Licensing Mistakes
1. Purchasing E5 tenant-wide to enable PIM for 30 admins. The most expensive PIM mistake. Scoped Entra P2 for the privileged population is 95%+ cheaper and provides identical PIM functionality.
2. Confusing Entra P1 (included in E3) with PIM capability. E3 includes Entra P1, which does not include PIM. If you are on E3 and believe you have PIM available, verify in the Entra admin centre. Conditional Access is P1; PIM is P2.
3. Not including PIM reviewers in the licensed population. Access reviewers in PIM workflows must hold Entra P2 licences. If you license only the privileged users and forget the reviewers, Microsoft can flag this as a compliance gap at true-up. Scope your licence count to include both eligible-assignment holders and designated approvers/reviewers.
4. Deferring PIM because of perceived complexity. PIM activation for a handful of Entra admin roles can be configured in a day by an experienced identity engineer. The risk-to-effort ratio is extreme. Defer the complexity of PIM for Groups and Lifecycle Workflows; deploy core JIT access for Global Admin and Privileged Role Administrator immediately.
5. Not auditing break-glass account coverage. Every organisation using PIM needs correctly configured break-glass accounts that exist outside PIM. Ensure these accounts are documented, access-tested quarterly, and monitored via Entra alerts.
Frequently Asked Questions
Is PIM included in Microsoft 365 E3?
No. M365 E3 includes Entra ID P1, which does not include PIM. PIM requires Entra ID P2 or Entra ID Governance. To use PIM on an E3 tenant, you must purchase scoped Entra P2 or Governance add-on licences for the users who need it, or upgrade those users to M365 E5.
How many users need to be licensed for PIM?
All users who benefit from PIM must be licensed — this includes privileged users with eligible assignments, designated approvers, and users included in access reviews. It does not include the general user population who are not involved in privileged access workflows. For most enterprises this is 1–3% of total users.
What is the difference between Entra P2 and Entra ID Governance for PIM?
Both provide core PIM capabilities (JIT for Entra roles, Azure resource roles, approval workflows, access reviews). Entra ID Governance additionally provides PIM for Groups and Lifecycle Workflows (automated JML processes). If your use case is PIM-only without group JIT, Entra P2 is the correct choice. If you need group JIT and/or Lifecycle Workflows, Governance delivers more capability at a comparable or slightly lower per-user EA price.
Can I use PIM with Conditional Access together?
Yes — they are complementary controls. Conditional Access (P1, included in E3) controls authentication and device compliance for accessing applications. PIM (P2) controls the privilege level once authenticated. Both should be in place for privileged accounts. Conditional Access alone does not prevent standing privileged access — it only controls the authentication barrier to the admin portal.