Entra PIM Custom Extensions Preview for Role Activation
Summary
Microsoft has introduced preview support for custom extensions in Microsoft Entra Privileged Identity Management, allowing organizations to call a REST API during role activation to enforce business-specific rules. This helps IT teams automate checks such as ticket validation, HR status, compliance gates, and on-call logic while improving auditability and reducing manual approval gaps.
Introduction
Microsoft is expanding Microsoft Entra Privileged Identity Management (PIM) with a new preview feature: custom extensions for role activation workflows. This matters because many organizations rely on business rules that live outside PIM, such as ITSM tickets, HR eligibility, compliance checks, or on-call schedules.
By letting PIM call a custom REST API during activation, Microsoft is giving IT and security teams a way to automate those checks directly in the approval flow instead of relying on disconnected manual processes.
What's new in PIM custom extensions
In preview, PIM custom extensions can be used to evaluate activation requests in real time during the pre-approval stage.
Key capabilities include:
- REST API integration during role activation
- Structured request payloads with details like
principalId,roleDefinitionId,justification,ticketInfo, andscheduleInfo - Automated decisions returned by the API:
Approved,AutoApproved, orDenied - Synchronous enforcement by PIM based on the API response
- Audit logging with
evaluationId,evaluationOutcome, and reason fields
Supported scenarios and scope
Microsoft says the preview supports:
- PIM for Groups
- PIM for Microsoft Entra roles
- PIM for Azure resources
Example use cases include:
- Validating a change or incident ticket against an ITSM platform
- Confirming HR-based eligibility before allowing activation
- Auto-approving access for users currently on call
- Denying activation outside approved maintenance windows
Why this matters for admins
For Entra administrators, this feature closes a common governance gap. PIM already supports MFA, justification, and approvals, but many organizations still need external validation before privileged access is granted.
Custom extensions make those controls enforceable inside the activation workflow itself. That can improve least-privilege enforcement, reduce manual review overhead, and strengthen compliance evidence for audits or investigations.
Next steps
If you want to test the preview, Microsoft outlines five main steps:
- Build a custom extension REST API
- Secure it with Microsoft Entra ID
- Onboard the extension using Microsoft Graph API
- Link it to PIM role settings with Require pre-approval custom extension
- Test the full activation flow
Organizations already using external approval or validation processes should evaluate whether those checks can now be integrated directly into PIM. Since this is a preview, now is also a good time to validate scenarios and provide feedback to Microsoft.
Need help with Entra ID?
Our experts can help you implement and optimize your Microsoft solutions.
Talk to an ExpertStay updated on Microsoft technologies