Azure Role Settings Explained: Activation, Assignment, Notifications

When you're using Microsoft Entra Privileged Identity Management (PIM), role settings help enforce just-in-time access, approval workflows, and alerts that keep your environment secure. Here’s a breakdown of the most important settings you can configure when assigning roles through PIM.

Assignment type

• Eligible: User can activate the role when needed. Ideal for just-in-time access.
• Active: User always has the role. Use sparingly for break-glass or service accounts.

Activation settings

• Activation maximum duration: Limits how long a user stays in the role (e.g., 1 hour, 8 hours).
• Require MFA: User must pass multi-factor authentication before activating.
• Require justification: User must explain why they're activating the role.
• Require ticket number: Tie activation to a support ticket or change request for auditing.
• Require approval: Send request to one or more approvers before activation is granted.

Notification settings

• Notify on assignment: Email notifications when users are made eligible or active.
• Notify on activation: Alert when someone activates the role.
• Notify approvers: Notify designated approvers when a role needs approval.
• Notify global admins: Alert tenant-wide admins of critical role activity.

Why these settings matter

• Reduce standing privileges to limit attack surface.
• Force accountability through ticketing and justification.
• Audit and alert on sensitive role usage.
• Align access with compliance policies.

Best practices

• Use Eligible + Require Approval for high-privilege roles.
• Set short durations (1–4h) for critical access.
• Notify stakeholders to create a strong audit trail.
• Use Access Reviews to regularly revalidate eligibility.

Final thoughts

Azure Role Settings in PIM give you the control and visibility needed to safely manage privileged access. Whether you're enforcing MFA, collecting justifications, or automating alerts—these controls let you scale security with confidence.