PIM Eligible vs Active: Can You Still Assign Permanent Admin Roles in Microsoft 365?
The short answer: yes. Anyone holding Privileged Role Administrator or Global Administrator can make someone a permanent standing admin in about thirty seconds, from the Microsoft 365 admin center, the Microsoft Entra admin center, or a single Microsoft Graph call, and it works on every license tier including the free one. The better question is whether the assignment should be standing at all. Microsoft's guidance for privileged roles is to make people eligible in Privileged Identity Management and have them activate just in time, with one sanctioned exception: the two or more cloud-only break-glass accounts every tenant should keep as permanent Global Admins.
There are two doors into every admin role in Microsoft Entra. The direct door hands out the role immediately and forever. The PIM door hands out the right to use the role, and makes the person switch it on each time they need it. Most tenants we review only ever used the first door, usually because that is the one the Microsoft 365 admin center shows you. This guide explains what each door actually creates, what PIM's eligible and active assignments mean, what it costs, and how many permanent admins you should really have.
The two doors at a glance
| Feature | 🚪 Direct assignment | 🎫 PIM (Privileged Identity Management) |
|---|---|---|
| What it creates | A standing admin, powers on 24/7 | Eligible or active assignments, permanent or time-bound |
| Where you do it | Microsoft 365 admin center, Entra admin center, or Graph | Entra admin center under ID Governance, or Graph |
| License needed | None, works on every tier | Entra ID P2 (or Entra ID Governance) |
| Checks at time of use | None once assigned | Activation can require MFA, justification, approval |
| Audit story | The role simply exists on the account | Every activation is logged, time-boxed, and reviewable |
| Microsoft's stance | Avoid for privileged roles | Recommended for admin roles |
The four shapes an admin role assignment can take
PIM separates two ideas that the direct door fuses together. An assignment has a type: either active (the powers work right now, no action needed) or eligible (the person must activate the role before using it). And it has a duration: either permanent (no end date) or time-bound (expires on a date you set). Two types multiplied by two durations gives four possible shapes:
| Permanent | Time-bound | |
|---|---|---|
| Active | The classic standing admin. This is what the direct door always creates, and what break-glass accounts should be. | Admin powers that switch themselves off on a date. Good for contractors and projects. |
| Eligible | The recommended default for real admins. The eligibility never expires, but every use still requires activation. | Eligibility that expires. Good for rotating on-call duties or temporary responsibilities. |
Here is the distinction that trips people up: permanent describes how long the assignment lasts. Standing access is what an active assignment gives you. A permanent eligible assignment is completely reasonable: your IT lead keeps the right to become Exchange Administrator forever, yet on any given Tuesday at 2 a.m. their account holds no admin power at all. An attacker who phishes that account gets a regular mailbox. That is the entire point of PIM.
One more thing worth saying plainly: an activated eligible role and a directly assigned role grant identical access. What PIM changes is when the power is switched on and what it takes to switch it.
🚪 Door one: direct assignment
This is the door almost everyone walks through first, because it is the one in front of you. Three surfaces lead to the same result:
- Microsoft 365 admin center: Roles > Role assignments, pick a role, add the user. Or open the user under Active users and choose Manage roles. There is no eligible option anywhere on this surface. Everything assigned here is a standing admin.
- Microsoft Entra admin center: open Roles & admins, pick the role, Add assignments. On a Free or P1 tenant the assignment is simply active. The eligible and active choice only appears once the tenant has P2 or Entra ID Governance licensing.
- Microsoft Graph: one POST creates the assignment programmatically, which is how scripts, onboarding automations, and some third-party tools quietly mint standing admins.
# The direct door: creates a permanent standing (active) assignment
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
{ "roleDefinitionId": "...", "principalId": "...", "directoryScopeId": "/" }
# The PIM door: eligible, activate just in time
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests
# The PIM door: active through PIM, permanent or time-bound
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests
All three endpoints are generally available on Graph v1.0. The direct call needs the RoleManagement.ReadWrite.Directory permission, and a directoryScopeId of / means tenant-wide. The PowerShell equivalent is New-MgRoleManagementDirectoryRoleAssignment.
Why standing admins are the problem
A standing Global Administrator is the single most valuable account in your tenant, every hour of every day. Phish it once, or steal one session token, and the attacker holds the keys with no second gate to pass. There is no time window to miss, no approval to fake, no activation event to alert on. Cyber-insurance questionnaires now ask how many standing privileged accounts you have for exactly this reason. The direct door is fast and free, and every account it touches becomes a permanent target.
🎫 Door two: PIM and just-in-time activation
Privileged Identity Management lives in the Entra admin center under ID Governance. Instead of granting the role, you grant eligibility for it. When the admin actually needs the power, they activate it, and you decide what activation costs them. Each role has its own settings:
- Activation duration: a per-role setting. Many tenants keep the common default of 8 hours; the portal slider lets you set anywhere from 1 to 24. When the window closes, the power is gone until next activation.
- Require MFA on activation: a fresh multifactor check at the moment of activation, even if they already signed in.
- Require justification: the admin types why they need it, which becomes your audit trail.
- Require approval: a designated approver signs off before the role turns on. Sensible for Global Administrator, overkill for a helpdesk role.
- Require ticket information: a ticket number recorded with the activation. Worth knowing: it is informational only, PIM does not validate it against your ticketing system.
- Require Conditional Access authentication context: the newest option, which lets a Conditional Access policy demand extra conditions, like a compliant device or phishing-resistant MFA, specifically at activation time.
PIM can also hand out permanent and time-bound active assignments. That matters for the rare account that genuinely must hold standing access, because even then PIM tracks it, surfaces it in reviews, and can alert on it. And PIM adds recurring access reviews: a scheduled check, monthly or quarterly, where someone must confirm each admin still needs the role, or it gets removed.
The license gate: PIM requires Microsoft Entra ID P2 (or a Microsoft Entra ID Governance license). P2 is included in Microsoft 365 E5 and EMS E5, and sells as a standalone add-on, listing at $10 per user per month with an annual commitment as of July 2026. You do not need it for everyone, but every person holding an eligible assignment, every approver, and every access reviewer must be licensed. And if the license ever lapses, your permanent standing assignments keep working while the eligible ones are removed. The direct door never needed a license in the first place.
The part nobody tells you: your direct assignments already show up in PIM
Open PIM in a tenant that has never used it and the role assignments are already there. Every role granted through the direct door appears in PIM as a permanent active assignment, because PIM reads the same underlying directory. Its Discovery and insights view (still labeled preview) will list every standing Global Administrator it finds, and its Make eligible action converts them in batches. The Graph API has no atomic convert, so done programmatically it is two calls, create the eligible assignment first, then remove the active one. Whichever way you run the cleanup, leave your break-glass accounts standing.
How many permanent admins should you have?
Microsoft publishes real numbers for this, and PIM nags you about them:
- Fewer than 5 Global Administrators. This is a recommendation rather than an enforced limit, but the Entra admin center shows an alert card on its Overview page once you reach five, and PIM has its own configurable security alert for too many Global Administrators. Most of the people holding Global Admin in the tenants we review only ever needed Exchange Administrator or User Administrator.
- Fewer than 10 privileged role assignments overall, same idea: every assignment is surface area.
- Eligible and time-bound for humans. Real admins should be eligible, activating with MFA and justification when work requires it.
- Exactly one sanctioned exception: keep two or more cloud-only break-glass accounts, on your .onmicrosoft.com domain, permanently assigned Global Administrator, excluded from Conditional Access, and signed in with a phishing-resistant passwordless credential such as a FIDO2 passkey or a certificate. Microsoft's current guidance has moved off long stored passwords, because its mandatory MFA enforcement applies to these accounts too. They exist so a bad Conditional Access policy or an authentication outage cannot lock every admin out of the tenant at once. Their sign-ins should trigger an alert, because nobody should be using them on a normal day.
The 2026 backdrop makes this cleanup less optional than it used to be. Microsoft now enforces MFA on its own admin portals regardless of your configuration, and insurers keep tightening the identity questions on renewal forms. If you are still sorting out which MFA method your tenant should even be running, start with our guide to per-user MFA vs Security Defaults vs Conditional Access, then come back for the admin roles.
Common PIM and admin role questions
What is the difference between eligible and active assignments in PIM?
An active assignment means the role's powers work right now with no further action. An eligible assignment means the person holds the right to the role but must activate it before use, and activation can require MFA, a justification, and an approver. Once activated, the access granted is identical to a direct assignment. The difference is when the power is on.
Can I still assign a permanent admin role without PIM or a P2 license?
Yes. Direct role assignment from the Microsoft 365 admin center, the Entra admin center, or the Graph API works on every license tier, including free, and creates a permanent standing admin. PIM and its eligible just-in-time assignments are what require Microsoft Entra ID P2 or an Entra ID Governance license. If a PIM license lapses, permanent assignments keep working while eligible ones are removed.
Do roles assigned in the Microsoft 365 admin center show up in PIM?
Yes. PIM and the admin centers read the same directory, so a role granted directly anywhere appears in PIM as a permanent active assignment. In the portal, PIM's Discovery and insights view lists standing privileged assignments and its Make eligible action converts them in batches. Through the Graph API there is no atomic convert, so the change is two calls: create the eligible assignment first, then remove the active one.
How many Global Administrators should a Microsoft 365 tenant have?
Microsoft recommends fewer than 5 Global Administrators and fewer than 10 privileged role assignments overall, and the Entra admin center displays warnings when a tenant exceeds them. Day-to-day admins should hold the least role that does the job, as eligible assignments they activate on demand. The exception is two or more cloud-only break-glass accounts kept as permanent Global Admins for emergency access.
Does a permanent eligible assignment give permanent access?
No. Permanent describes the duration of the eligibility, meaning it never expires. The access itself still only exists while an activation window is open, commonly 8 hours and configurable per role up to 24. Between activations the account holds no admin power, which is exactly why Microsoft recommends permanent eligible over permanent active for human admins.
How many standing Global Admins do you have right now?
If you have to go count, that is the finding. Our Identity and Insurance Evidence Pack inventories every privileged role assignment in your tenant, standing and eligible, alongside what MFA and Conditional Access actually enforce, in the format a cyber-insurance renewal asks for. You get the admin-role cleanup list and the proof, before an audit or an attacker forces the question.
See the Identity and Insurance Evidence PackNeed help implementing this?
We turn these concepts into secure configurations for your tenant.
Request a scoping session