Monitoring What Matters with Azure Monitor
June 4, 2025Get co-sell ready with enablement, executive alignment, and cross-functional collaboration
June 4, 2025
At the heart of this post is Kairos IMS, an innovative Impact Management System designed to empower human-serving nonprofits and social impact organizations. Co-developed by the Urban League of Broward County and our trusted technology partner, Impactful, Kairos IMS reduces administrative burdens, enhances holistic care, and enables organizations to leverage data for increased agility and seamless service delivery. In this blog series, we’ll take a closer look at the powerful technologies that fuel Kairos IMS, from Azure services to security frameworks, offering insight into how modern infrastructure supports mission-driven impact. Click here to learn more.
Why always-on admin access is so last season
That’s where Privileged Identity Management (PIM) and Just-in-Time (JIT) access come in. These powerful tools help nonprofits like yours give the right people access at the right time—no more, no less. It’s smart, secure, and surprisingly simple.
Let’s break down what these tools do, and how they can help protect your organization without getting in the way of the amazing work you do every day.
So, what is PIM and JIT—like, really?
Think of Privileged Identity Management (PIM) as your organization’s VIP list—the folks who have elevated access to do high-level stuff like reset passwords, access financial data, or make major system changes.
Now, here’s the twist: with Just-in-Time (JIT) access, no one stays on the VIP list forever. Instead, they request access when they need it—and lose it when they don’t.
It’s like giving someone the keys to the office only when they need to go in, rather than letting them walk in 24/7.
Why should nonprofits care?
Because you’re dealing with sensitive data—donor info, volunteer lists, grant applications—and you’re probably working with a lean team wearing many hats. That means it’s easy for someone to get elevated access “just in case” and never lose it. That’s risky business.
Enter PIM + JIT = Peace of Mind.
Real-life use case #1: The “Finance Volunteer” Scenario
Let’s say you have a seasonal volunteer who helps with your annual fundraising campaign. They need access to your donor database and financial reports for two months. Normally, you’d assign them a high-level role and forget about it.
With PIM, you give them eligible access, not active access. They request what they need, when they need it—and only for a set amount of time. Once they’re done, the access vanishes automatically.
No more “Oops, I forgot they still had access six months later.”
Real-life use case #2: The “IT Consultant” You Hired Once
You brought in an external IT consultant to help set up your new Microsoft 365 environment. They needed global admin rights (eek!) for just a few days. Instead of giving them full access that lingers forever, you assign them a role through PIM with JIT access.
They activate their access, do their job, and then—poof—it’s gone. You can even require multi-factor authentication and approval workflows before access is granted. You’re still in control.
Bonus Perks You’ll Love
- Audit logs – Know who accessed what and when.
- Notifications – Get alerted when someone activates elevated access.
- Time limits – Set access to expire automatically.
- Approvals – Make sure someone signs off before access is granted.
Final Thoughts
Security doesn’t have to be boring or burdensome. Tools like PIM and JIT are built right into Microsoft 365 (hello, E5 license!) and help you strike the perfect balance between productivity and protection.
Here’s the best part for nonprofits: Microsoft gives eligible nonprofit organizations 10 free Microsoft 365 Business Premium licenses—which already include powerful security features like Defender for Business and Intune.
To unlock PIM and JIT, you’ll need Microsoft Entra ID Plan 2, which is included in Microsoft 365 Enterprise E5 licenses. But no worries—you can add this advanced level of protection as an affordable add-on to your Business Premium licenses.
So yes, your nonprofit can absolutely step up to enterprise-grade security—without paying enterprise-grade prices.
Your nonprofit is doing amazing work—let’s make sure your data and systems are just as amazing (and secure).
How to Enable PIM and JIT Access in Microsoft Entra
Ready to level up your security with PIM and JIT? Follow these steps to get started:
Step 1: Sign In
Go to the Microsoft Entra admin center at entra.microsoft.com and sign in with a Global Administrator or Privileged Role Administrator account.
Step 2: Navigate to PIM
- In the left-hand menu, select Identity Governance.
- Click on Privileged Identity Management.
Step 3: Manage Microsoft Entra Roles
- Under the Manage section, click Microsoft Entra roles.
Step 4: Assign Roles with JIT (Eligible) Access
- To Assign roles select, Assign Eligibility. Choose the role you want to manage (e.g., Global Administrator, User Administrator, etc.) or select + Add assignments and select a role there.
- Apply the scope: this defines where the role applies.
- Directory Scope:
Grants access across the entire Microsoft Entra directory (tenant). Use this for org-wide roles like Global Administrator or User Administrator. - Application Scope:
Limits access to a specific registered application (like a third-party app or a custom-built app). Assign roles here when managing permissions for app-specific access. - Service Principal Scope:
Applies the role to a specific service principal, which represents the identity used by an app or automation to access resources. Use this when assigning roles to automation accounts, scripts, or non-user entities.
- Directory Scope:
- Assign to a username or group.
When assigning roles in PIM, you can choose between two types:
- Eligible: The user does not have the role by default, but they can activate it when needed. This is ideal for Just-in-Time (JIT) access and is the most secure option.
- Active: The user has the role assigned permanently and doesn’t need to request or activate it. Use this only when ongoing access is absolutely necessary.
- Choose whether the assignment is permanent or for a specific time frame.
- Click Assign to save.
Step 5: Users Activate Roles When Needed (JIT Access)
When a user needs to perform an admin task:
- They go to the Privileged Identity Management section.
- Find their eligible role and click Activate.
- Complete any required justification, MFA, or approval steps.
Step 6: Approvers Review Activation Requests (Optional)
If you’ve set up approvals:
- Approvers will receive a notification and can review/approve requests directly from the PIM portal.
Step 7: Stay Compliant and Secure
- Regularly review role activations and audit activity logs.
- Adjust role assignments as needed to maintain least-privilege access.