Tag
Default PIM configuration in Microsoft Entra ID has three serious gaps: the 'Require MFA on activation' setting can be bypassed with a stolen AITM token, PIM for Groups activations take up to 24 hours to propagate in SharePoint, and a misconfigured approval workflow can lock your entire tenant out of admin roles. This guide covers how to fix all three.
