Entra ID

Entra PIM Custom Extensions Preview for Role Activation

2 min read

Summary

Microsoft has introduced preview support for custom extensions in Microsoft Entra Privileged Identity Management, allowing organizations to call a REST API during role activation to enforce business-specific rules. This helps IT teams automate checks such as ticket validation, HR status, compliance gates, and on-call logic while improving auditability and reducing manual approval gaps.

Need help with Entra ID?Talk to an Expert

Introduction

Microsoft is expanding Microsoft Entra Privileged Identity Management (PIM) with a new preview feature: custom extensions for role activation workflows. This matters because many organizations rely on business rules that live outside PIM, such as ITSM tickets, HR eligibility, compliance checks, or on-call schedules.

By letting PIM call a custom REST API during activation, Microsoft is giving IT and security teams a way to automate those checks directly in the approval flow instead of relying on disconnected manual processes.

What's new in PIM custom extensions

In preview, PIM custom extensions can be used to evaluate activation requests in real time during the pre-approval stage.

Key capabilities include:

  • REST API integration during role activation
  • Structured request payloads with details like principalId, roleDefinitionId, justification, ticketInfo, and scheduleInfo
  • Automated decisions returned by the API: Approved, AutoApproved, or Denied
  • Synchronous enforcement by PIM based on the API response
  • Audit logging with evaluationId, evaluationOutcome, and reason fields

Supported scenarios and scope

Microsoft says the preview supports:

  • PIM for Groups
  • PIM for Microsoft Entra roles
  • PIM for Azure resources

Example use cases include:

  • Validating a change or incident ticket against an ITSM platform
  • Confirming HR-based eligibility before allowing activation
  • Auto-approving access for users currently on call
  • Denying activation outside approved maintenance windows

Why this matters for admins

For Entra administrators, this feature closes a common governance gap. PIM already supports MFA, justification, and approvals, but many organizations still need external validation before privileged access is granted.

Custom extensions make those controls enforceable inside the activation workflow itself. That can improve least-privilege enforcement, reduce manual review overhead, and strengthen compliance evidence for audits or investigations.

Next steps

If you want to test the preview, Microsoft outlines five main steps:

  1. Build a custom extension REST API
  2. Secure it with Microsoft Entra ID
  3. Onboard the extension using Microsoft Graph API
  4. Link it to PIM role settings with Require pre-approval custom extension
  5. Test the full activation flow

Organizations already using external approval or validation processes should evaluate whether those checks can now be integrated directly into PIM. Since this is a preview, now is also a good time to validate scenarios and provide feedback to Microsoft.

Need help with Entra ID?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Entra IDPIMprivileged accessrole activationidentity governance

Related Posts

Entra ID

Microsoft Purview and Entra Add Real-Time AI DLP

Microsoft has announced a public preview that extends data protection to the network layer using Microsoft Purview and Microsoft Entra. The integration helps organizations detect and block sensitive data moving to unmanaged SaaS, personal cloud storage, and generative AI apps in real time, reducing data leakage risk before exposure occurs.

Entra ID

Microsoft Entra Backup and Recovery GA Now Available

Microsoft Entra Backup and Recovery is now generally available for customers with Entra ID P1 or P2, bringing built-in recovery for critical identity objects across workforce tenants. The release extends retention from 5 to 7 days and adds more flexibility for snapshots, difference reports, and recovery jobs, helping IT teams respond faster to accidental or malicious changes.

Entra ID

Microsoft Entra AI Security Webinar Series Announced

Microsoft has launched a three-part Microsoft Entra and Purview webinar series focused on securing AI at scale. The sessions cover identity, access, data protection, browser and network controls, and governance for AI agents, giving IT teams practical guidance for safer AI adoption.

Entra ID

Azure AD B2C Migration Tools Now Available

Microsoft has released generally available migration tools and guidance to help Azure AD B2C customers move to Microsoft Entra External ID. With Azure AD B2C no longer receiving new features, these new options give IT teams a clearer path to modernize customer identity while reducing migration risk.

Entra ID

Microsoft Entra ID Security Updates: Key 2026 Changes

Microsoft is making three important Microsoft Entra ID security changes in 2026: retiring Custom controls in favor of External MFA, enforcing Conditional Access more consistently during credential registration, and requiring explicitly registered authentication methods for SSPR. These updates matter because they close policy enforcement gaps, improve identity security, and require admins to review configurations before enforcement deadlines arrive.

Entra ID

Global Secure Access Operations Guide Now Available

Microsoft has published a new Microsoft Entra Global Secure Access operations guide on Microsoft Learn to help teams manage day 2 operations after deployment. The guide provides prescriptive monitoring, health checks, role assignments, templates, and automation guidance so IT teams can run Global Secure Access more consistently and proactively.