Implementing PIM in Small Businesses Without an Approver: Use Authentication Context Instead

One of the most effective ways to protect admin access in Microsoft Entra is by implementing Privileged Identity Management (PIM). PIM lets you assign privileged roles like Global Administrator or SharePoint Administrator on a just-in-time (JIT) basis, reducing the attack surface and preventing over-privileged accounts from becoming a liability.

But there's a catch...

The Approval Problem in Small Teams

In larger organisations, it’s common to require approval for PIM role activation. For example, if someone wants to activate their Global Admin role, they need someone else to approve that request. It’s a solid safeguard.

However, for many small businesses (especially those with 1 to 3 IT admins or even a single-person IT department) this model just doesn't scale. What happens if there's no one available to approve the request? Or worse, what if you're the only admin?

So what’s the alternative? Do you skip approvals and accept the risk? Not at all. There's a better way.

Enforce MFA for PIM Activation with Authentication Context

Microsoft Entra now allows you to combine PIM role activation with Conditional Access policies, using Authentication Context to enforce specific controls - like requiring strong MFA every time a role is activated.

This is a perfect fit for small businesses where approvals aren't realistic, but strong authentication is still essential.

Step-by-Step: Setting It Up

1. Create an Authentication Context in Entra

Go to Entra Portal > Conditional Access > Authentication Contexts.

Create a new context and assign it a clear name (e.g. Reauthenticaion in PIM) and description. If you're surprised by the lack of options in this windows, don't be. Essentially an Authentication Context is simply a label.

2. Assign the Authentication Context to Your PIM Role Activation

When you configure a role in PIM, under Activation settings, you’ll see an option to assign an Authentication Context. Choose the one you just created.

This means: whenever this role is activated, the user must satisfy the policy attached to that context.

3. Create a Conditional Access Policy for That Context

Head over to Conditional Access and create a new policy:

• Users: Select your privileged admins (maybe create a group for them called PIM Users)

• Target Resources: Choose Authentication Context and select your Reauthenticaion in PIM context (see first image below).

• Conditions: Optional (e.g. block risky sign-ins)

• Access controls: Require Multi-Factor Authentication (the stronger the better)

• Session: set the Sign-in frequency to Every time (otherwise a previously issued token will satisfy the MFA challenge)

Tip: You could also add device compliance or location-based controls here if needed.

4. Test It

When a user goes to activate their PIM role, they’ll now be prompted for MFA - even if they’ve already authenticated that day.

Why This Works for Small Businesses

• No approvals needed: You don’t need a second admin to approve every elevation - great for solo or small IT teams.

• Highly configurable: You can add other controls like compliant device, known location, or even specific app access.

• Scales with you: As your business grows, you can add approvals later without changing your underlying structure.

Final Thoughts

Small businesses shouldn’t have to choose between security and convenience. With Authentication Context + PIM, you can strike a smart balance. Even without role approvals, enforcing MFA at the point of activation gives you granular control, reduced risk, and a manageable experience.

If you're managing a Microsoft 365 tenant with limited resources, this approach offers a clean, scalable solution to elevate your security posture, without overcomplicating your workflow.