Audit PIM Role Activations in Microsoft Entra

Ever wondered who activated a privileged role at 2 AM last night? Or why someone deactivated a critical admin role right before a deployment? If you’re managing Microsoft 365 environments, questions like these are part of the job. That’s where Privileged Identity Management (PIM) auditing comes into play.

Auditing PIM role activations and deactivations is an essential part of maintaining control over privileged access. Keeping track of who’s activating or stepping away from sensitive roles helps strengthen your organization’s security posture and compliance requirements.

In this blog, we’ll walk you through everything you need to know about monitoring PIM role activity—from understanding what gets logged during role activations and deactivations to identifying who elevated or stepped down from privileged roles and when.

There are three main ways to audit PIM role activations and deactivations in your Microsoft Entra environment:

1. View PIM audit logs in Microsoft Entra admin center
2. PIM role assignment history using Microsoft purview
3. Export PIM role activity using PowerShell (Recommended)

Follow the steps below to review and filter PIM role activity from the Entra admin center.

1. Sign in to the Microsoft Entra Admin Center and navigate to Identity Governance > Privileged Identity Management
2. In the PIM window, select Microsoft Entra roles under Manage
3. Then, select Resource Audit under Activity. To export your data, click Export at the top of the table and hit Download.
   

This method provides a simple way to review recent PIM role activities. However, keep in mind that only the last 30 days of audit data are available in Entra audit log.

If you want to audit data for more than 30 days, Microsoft Purview provides up to 180 days of privileged role activities.

You can follow the steps below to get PIM role assignment history.

1. Sign in to the Microsoft Purview Admin Center and navigate to Solutions and select Audit.
2. Enter the time range for which you must audit and enter the operation valuses Add member to role,Remove member from role under Activities – operation names for role activation and deactivation and hit Search.
   
   Your search will be queued. Check after some time and when the Job Status is Completed, you can view the audit data.
   
3. Now, select your audit search and click Export. Your data will be available for download in a few minutes. Then, click on the Downloads file to export your PIM role assignment status.

This method shows all role assignment changes, not just PIM-related actions. Since Microsoft Purview doesn’t support advanced filtering like narrowing by initiator (who performed the action), identifying only PIM activations or deactivations may require manual review after exporting the data.

To make things easier, we’ve built a PowerShell script that automates the entire process from retrieving PIM role activations and deactivations to exporting the report and delivering it straight to your inbox.

Download script: AuditPIMRoleActivations.ps1

• Supports generating report for PIM role activations only.
• Supports generating report for PIM role deactivations only.
• Automatically installs the Exchange Online PowerShell module (if not installed already) with your permission.
• Sends PIM role activation report via email to one or more recipients.
• Filters activity logs for a specific admin.
• Exports report in both HTML and CSV formats.
• Scheduler-friendly for automated PIM audits.
• Supports certificate-based authentication too.

PIM Role Activation and Deactivation Report

Automated Email Notification for PIM Role Activations

1. Download the PowerShell script shared above.
2. Open Windows PowerShell and navigate to the folder where the downloaded script is stored.
3. You can choose any of the following methods to execute based on your requirements.

Method 1: Execute the script with an MFA or non-MFA account.

This script exports a report of all PIM role activities in the last 180 days.

Method 2: Execute the script using certificate-based authentication.

To use certificate-based authentication, you need to register the application in Entra ID, which enables you to connect Exchange Online using certificate. Based on your requirements, you can either create a self-signed certificate or use a CA certificate.

This approach is scheduler friendly.

Method 3: Schedule the script by explicitly mentioning credential (Less recommended).

The above method supports only non-MFA accounts. If the admin account has MFA, you need to disable MFA using CA policy use it for scheduling purposes.

With flexible filtering options, this script makes auditing PIM role activity in Microsoft Entra both efficient and customizable.

Here’s how the script helps you stay on top of every PIM role activity:

1. Audit PIM role activations
2. Audit PIM role deactivations
3. Generate PIM audit report for a custom period
4. Track PIM role activations by a specific user
5. Automate PIM audit report delivery via email to multiple recipients
6. Schedule and send PIM role activations report daily

Need to focus just on elevated access events? Use the -PIMActivationsOnly switch to filter the results for activation events only. It’s perfect for reviewing recent privilege elevations or during access reviews.

This format fetches all PIM role activations that occurred in the last 180 days. Based on this report, you can monitor admin activities to understand what actions were performed during their privileged access.

Want to check who deactivated their role and when? The -PIMDeactivationsOnly parameter lets you filter just the deactivation events, ideal for post-deployment checks or unexpected role removals.

This lists all recent PIM role deactivations in your tenant.

Want to pull PIM activity for a specific audit window or compliance period? Use the -StartDateand -EndDate parameters to narrow down the report to just the timeframe you care about.

This format fetches all PIM activations and deactivations that occurred between June 27 and July 14, 2025.

If a particular admin is under review, or you’re validating activity during a critical change window, use –PIMAdminName to isolate their activations and deactivations.

The above format exports PIM activations and deactivations performed by the user alex@contoso.com in the last 180 days.

Need to notify your security or compliance team? The script supports sending audit reports via email. Use the –Recipients parameter to specify one or more addresses, and the -FromAddress to define the sender.

This format generates a report of all PIM role activations and deactivations and sends report to the specified recipients from the given sender address.

Note: If using certificate-based authentication (CBA), the -FromAddress is mandatory. For interactive logins, the logged-in user will be considered the sender by default.

Privileged access can change in a flash. An admin might activate a role, complete a task, and deactivate it just minutes later. That’s why it’s important to monitor PIM activations on a daily basis.

However, digging through audit logs or running PowerShell scripts manually can be time-consuming. Instead, simply schedule this script in Task Scheduler or Azure Automation to receive the PIM role activation report directly in your inbox, making daily reviews effortless.

This format sends a daily PIM activation report for the previous day to multiple recipients, with no UI interruptions. It’s ideal when integrating with task schedulers or other automated tools.

Whether you’re responding to a security incident or conducting regular audits, this script gives you the clarity and control needed to keep privileged access in check! You can also view admins with permanent role assignments to get a complete picture.

We hope this blog helps you take control of PIM role auditing in Microsoft 365, making it easier to monitor privileged access and review role changes. If you have any further questions or feedback, feel free to drop them in the comments. We’re here to help!