Permanent privileged role assignments (PIM not used)
The tenant has Entra ID P2 (Privileged Identity Management) but still has permanent privileged role assignments. Permanent assignments expose accounts to standing privilege and reduce audit quality.
How to fix it
Convert permanent privileged role assignments to PIM-eligible assignments. Require just-in-time activation with approval and/or MFA, and set maximum activation duration.
Required Microsoft Graph permissions
EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:
RoleManagement.Read.Directory
Further reading
Run this check on your tenant
EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.
Get started — free first scan →