Automating Project Access with Microsoft PIM: A Real-World Example

Last Updated
Colin M

Automating Project Access with Microsoft PIM: A Real-World Example from a MAM Rollout

As a Security Engineer who has rolled out Microsoft Entra Privileged Identity Management (PIM) across various projects, including Zero Trust initiatives and privileged admin workflows, I’m constantly seeking ways to reduce manual access tasks and tighten control, especially when it comes to time-sensitive deployments, such as Mobile Application Management (MAM).

Recently, I was tasked with onboarding nearly 1000 users to a MAM project.

Doing this manually? Not an option.

I’ve done the 6 am scramble of adding users, manually or with a script, to security groups just in time for rollout, hoping no one got missed, and praying no one activated early by accident. That’s fine once or twice, or for a small number of users, but it doesn’t scale. And more importantly, it introduces risk.

Instead, I leveraged Microsoft PIM’s automation capabilities to enrol users into the access group at the right time, based on pre-defined security groups. We scheduled activation windows, assigned just-in-time access with approval as needed, and even configured email notifications to inform users that they’d been onboarded.

No guesswork, no surprises, meaning I can have my morning cuppa in peace and start to worry about how many won’t read the documentation before raising issue tickets.

This blog post breaks down how I achieved that, why it matters, and how you can apply the same principles to any high-impact project, whether it’s onboarding for MAM, staging access for an application release, or gradually rolling out access to a new SaaS tool.

Let’s dive in because security shouldn’t come at the cost of sleep, and projects shouldn’t depend on someone manually clicking “Add to Group” before their first cup of caffeine.

Automating Role-Based Onboarding with Microsoft PIM: How to Seamlessly Roll Out MAM to Over 900 Users

When you’re tasked with onboarding hundreds of users to a project like Mobile Application Management (MAM) across various departments, such as Sales, Marketing, and Finance, timing and control are crucial.

As a Security Engineer who has lived through the chaos of “just-in-time” manual access changes (read: scrambling at 6 am on rollout day), I knew we needed a more innovative way to manage this.

Enter Microsoft Entra Privileged Identity Management (PIM), not just for Global Admins, but for enabling secure, scalable access based on group membership, scheduled activations, and even end-user notifications. In this post, I’ll guide you through the process of rolling out MAM using a combination of Active and Eligible assignments via PIM, with minimal stress and maximum control.

The Objective

  • A phased Enrollment of all users on the Mobile Application Management over 4 weeks
  • Assign users from specific business units — Sales, Marketing, Finance, etc., in each phase or wave
  • Use existing security groups to control access
  • Automate timing so that groups are onboarded according to rollout phases
  • Use Active assignments for all users so that they are enrolled in the policies.
  • Communicate clearly to users when and why they were onboarded.

Why Manual Doesn’t Scale

When you’re rolling out a project like Mobile Application Management (MAM) across hundreds (in our case, 800+) of users, the last thing you want is a bottleneck caused by manual group assignments. I’ve worked in environments where adding users to the right groups had to happen before the 9:00 a.m. release window, and someone had to get up at 6:00 a.m. to do it.

Even with perfect planning, manual access assignments are:

  • Error-prone
  • Non-auditable
  • Time-consuming
  • And worst of all, it is easy to forget under pressure

That’s where Microsoft Privileged Identity Management (PIM) becomes a game-changer in operational terms.

Our Structure

We began by creating department-specific Entra security groups:

  • NICG-MAMOnboarding-Sales
  • NICG-MAMOnboarding-Marketing
  • NICG-MAMOnboarding-Finance
  • NICG-MAMOnboarding-Engineering
  • NICG-MAMOnboarding-Sales

Each department group was added as a member to the NICG-MAMOnboarding, but with scheduled activation using PIM. This allowed us to:

  • Pre-load access weeks in advance
  • Set activation dates based on the rollout plan (e.g. Sales: Week 1, Marketing: Week 2, etc.)
  • Avoid manual changes during business-critical windows
  • Maintain auditability across every step

This is possible because PIM allows you to add groups to groups (nested groups) and schedule when that membership becomes active.

Using PIM Eligible Assignments for Privileged Roles or Groups

In this case I just wanted to add the users to the policy, however, if we had wanted a bit more restriction or control over who has access, say in the instance of being added to a group that can access production resources, we could have added them as an eligible assignmnet rather than active.

This is if we wanted these users to:

  • Require approval before activating elevated permissions
  • Justify their need to access admin features
  • Time-bound their access (e.g. 1 hour for troubleshooting)
  • Log all activations for compliance and forensics

This follows the Just-in-Time access model, ensuring admin privileges are only available when needed and under strict controls.

User Notifications and Support

One of the most underrated features of PIM is the built-in email notification system.

I used this to:

  • Inform users when their group was activated and they were onboarded to the project
  • Provide links to internal guides and FAQs
  • Reinforce the purpose and boundaries of the access they received
  • Support users with activation instructions and escalation paths

This reduced the number of helpdesk tickets, ensured smoother adoption, and made the rollout feel intentional and professional.

Using PIM to Onboard Users To A Project Guide

1. Click on All groups

Click on All groups

2. Click on the main group being used to add the users to the project NICG-MAMOnboarding

Click on the main group being used to add the users to the project NICG-MAMOnboarding

3. Click on Privileged Identity Management

Click on Privileged Identity Management

4. Click on Enable PIM for this group (if not already done so

Click on Enable PIM for this group (if not already done so

5. Click on Add assignments

Click on Add assignments

6. select the Role & Click on Member

select the Role & Click on Member

7. Click on No member selected

Click on No member selected

8. Click on Groups

Click on Groups

9. Select your first group to add to the onboarding

Select your first group to add to the onboarding

10. Click on Select

Click on Select

11. Click on Next >

Click on Next >“></p> <h3 class=12. Click on Active

Click on Active

13. Click on Select Date and time – This is when you want the activation, or the group tobe moved into the main group.

Click on Select Date and time - This is when you want the activation, or the group tobe moved into the main group.

14. Add a resoning for audit pruposes – if you have ot adjusted the settings this will be included in an emai toall of the users in the group…..so choose your words carefully.

Add a resoning for audit pruposes - if you have ot adjusted the settings this will be included in an emai toall of the users in the group.....so choose your words carefully.

15. Click on Assign and repeat with your other groups if you need

Click on Assign and repeat with your other groups if you need

16. Click on Eligible assignments

Click on Eligible assignments

17. Yuoll see that there are no current Active assignments but a blue banner has appeared above.

Yuoll see that there are no current Active assignments but a blue banner has appeared above.

18. Click on There are 5 pending requests.

Click on There are 5 pending requests.

19. Click on Pending requests…

Click on Pending requests…

Results

  • Just under 1000 users onboarded in a phased, controlled manner
  • Zero manual updates needed during rollout days.
  • Allowed for exceptions to be called out early.
  • Freed up time to respond to any issues that arose, such as apps not being included or user issues (not reading the docs!)
  • Repeatable pattern now used across other rollouts like ZTNA and Teams Voice
  • Security, operations, and compliance teams all signed off on the approach

Key Takeaways

  • Use Active assignments in PIM with future start dates to automate phased group rollouts.
  • Use Eligible assignments for any group that requires elevation or has access to privileged systems.
  • Structure your groups carefully: ensure that your nesting aligns with access control objectives (e.g., don’t nest privileged groups without controls).
  • Leverage PIM notifications as part of your onboarding communications; it’s free and adds value.
  • PIM isn’t just for admins — it’s a powerful tool for managing extensive user onboarding securely.

Final Word

If you’re relying on spreadsheets, Outlook calendar reminders, or, worst of all, “Colin will remember to do it,” then it’s time to let PIM handle it.

Microsoft PIM enabled us to automate group onboarding, control privileged access, and deliver a better user experience — all while keeping compliance and audit teams satisfied. Whether it’s MAM, ZTNA, or any project with staged access, PIM turns chaos into a process.

What is Cybersecurity?

Leave a Comment

NI Cyber Guy

Guides

SC-900

SC-200

Blocking Users By Country

Best Certs for beginners

What Is SSO

types Of Hackers

Small Business Cybersecurity

Types of USB

Smishing

Spoofing

Vishing

Spear Phishing

Careers

CyberSecurity Analyst

SOC Analyst

Security Engineer

Penetration Tester

Cryptographer

CyberSecurity Consultant

Malware Analyst

Forensic Investigator

Events

CyberPedia

NI Cyber Guy

About Us

Services

Our promise

Contact us

colin@NICyberGuy.com

Causeway Coast, Northern Ireland

© 2025 Content Kings Media

Privacy Policy | Terms of Use