Configure Microsoft Entra Privileged Identity Management to enforce just-in-time role activation, approval workflows, and access reviews for Azure AD privileged roles.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionimplementing-azure-ad-privileged-identity-managementExecute the skills CLI command in your project's root directory to begin installation:
Fetches implementing-azure-ad-privileged-identity-management from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate implementing-azure-ad-privileged-identity-management. Access via /implementing-azure-ad-privileged-identity-management in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Create detailed user stories, acceptance criteria, and feature specs
Example
Generate user stories for 'password reset feature' with acceptance criteria, edge cases, and test scenarios
Reduce spec writing time by 50%, ensure comprehensive coverage
Research competitors, compare features, identify gaps
Example
Analyze 5 competitor products, create feature comparison matrix, suggest differentiation opportunities
Complete competitive research in 2 hours instead of 2 days
Evaluate features using frameworks (RICE, ICE, Kano) and create prioritized backlogs
Example
Score 20 feature ideas using RICE framework, generate prioritized roadmap with rationale
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | implementing-azure-ad-privileged-identity-management |
| description | Configure Microsoft Entra Privileged Identity Management to enforce just-in-time role activation, approval workflows, and access reviews for Azure AD privileged roles. |
| domain | cybersecurity |
| subdomain | identity-access-management |
| tags | - azure-ad - pim - entra-id - just-in-time - privileged-roles - identity-governance - zero-trust |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.AA-01 - PR.AA-02 - PR.AA-05 - PR.AA-06 |
Microsoft Entra Privileged Identity Management (PIM) provides time-based and approval-based role activation to mitigate risks from excessive, unnecessary, or misused access to critical resources. PIM replaces permanent (standing) privilege assignments with eligible assignments that require users to explicitly activate their role before use, with configurable duration, MFA enforcement, approval workflows, and justification requirements. This is a core component of Zero Trust identity governance in Microsoft environments.
| Type | Behavior | Use Case |
|---|---|---|
| Eligible | User must activate the role before use; expires after configured duration | Day-to-day admin work |
| Active | Role is always active; no activation needed | Service accounts, break-glass accounts |
| Time-Bound | Either type with explicit start/end dates | Temporary project access, contractor access |
User with Eligible Assignment
│
├── Opens PIM portal → My Roles
│
├── Clicks "Activate" on the desired role
│
├── Provides justification and optional ticket number
│
├── Completes MFA challenge (if required)
│
├── [If approval required] → Notification sent to approvers
│ │
│ ├── Approver reviews and approves/denies
│ └── User notified of decision
│
├── Role activated for configured duration (e.g., 8 hours)
│
└── Role automatically deactivated when duration expires
Audit current permanent role assignments and determine which should be converted to eligible:
| Current Role | Permanent Holders | Action |
|---|---|---|
| Global Administrator | 2-3 admins | Convert to eligible, keep 1 break-glass active |
| Exchange Administrator | IT team | Convert all to eligible |
| Security Administrator | SOC team | Convert to eligible |
| User Administrator | Help desk | Convert to eligible |
| Application Administrator | DevOps | Convert to eligible |
Best practice: Maintain no more than 2 permanent Global Administrators (break-glass accounts).
For each Entra directory role, configure PIM settings:
Via Microsoft Entra Admin Center:
Activation Settings:
Assignment Settings:
Notification Settings:
import requests
# Acquire token for Microsoft Graph
def get_graph_token(tenant_id, client_id, client_secret):
url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"
data = {
"grant_type": "client_credentials",
"client_id": client_id,
"client_secret": client_secret,
"scope": "https://graph.microsoft.com/.default"
}
response = requests.post(url, data=data)
return response.json()["access_token"]
# Create eligible role assignment
def create_eligible_assignment(token, role_definition_id, principal_id,
directory_scope="/", duration_hours=8):
url = "https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleRequests"
headers = {
"Authorization": f"Bearer {token}",
"Content-Type": "application/json"
}
body = {
"action": "adminAssign",
"justification": "PIM eligible assignment",
"roleDefinitionId": role_definition_id,
"directoryScopeId": directory_scope,
"principalId": principal_id,
"scheduleInfo": {
"startDateTime": "2025-01-01T00:00:00Z",
"expiration": {
"type": "afterDuration",
"duration": "P180D" # 180-day eligible window
}
}
}
response = requests.post(url, headers=headers, json=body)
return response.json()
# Activate a role (user self-service)
def activate_role(token, role_definition_id, principal_id, justification,
duration_hours=8):
url = "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests"
headers = {
"Authorization": f"Bearer {token}",
"Content-Type": "application/json"
}
body = {
"action": "selfActivate",
"principalId": principal_id,
"roleDefinitionId": role_definition_id,
"directoryScopeId": "/",
"justification": justification,
"scheduleInfo": {
"startDateTime": None, # Now
"expiration": {
"type": "afterDuration",
"duration": f"PT{duration_hours}H"
}
}
}
response = requests.post(url, headers=headers, json=body)
return response.json()
Set up recurring access reviews to verify eligible assignments remain appropriate:
Enable PIM security alerts:
| Alert | Trigger | Action |
|---|---|---|
| Too many global admins | > 5 Global Admins | Review and reduce |
| Roles being assigned outside PIM | Direct role assignment | Investigate and convert to PIM |
| Roles not requiring MFA | Activation without MFA | Enable MFA requirement |
| Stale eligible assignments | Not activated in 90 days | Review and potentially remove |
| Potential stale service accounts | Active assignments not used | Investigate and decommission |
Make data-driven prioritization decisions faster
Draft PRDs, status updates, and stakeholder presentations
Example
Create executive summary of Q3 roadmap, monthly progress report, feature launch announcement
Save 3-5 hours/week on communication overhead
Prerequisites
Time Estimate
30-60 minutes to see productivity improvements
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
✗ Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
implementing-azure-ad-privileged-identity-management fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Useful defaults in implementing-azure-ad-privileged-identity-management — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
implementing-azure-ad-privileged-identity-management reduced setup friction for our internal harness; good balance of opinion and flexibility.
implementing-azure-ad-privileged-identity-management has been reliable in day-to-day use. Documentation quality is above average for community skills.
Registry listing for implementing-azure-ad-privileged-identity-management matched our evaluation — installs cleanly and behaves as described in the markdown.
implementing-azure-ad-privileged-identity-management fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Solid pick for teams standardizing on skills: implementing-azure-ad-privileged-identity-management is focused, and the summary matches what you get after install.
We added implementing-azure-ad-privileged-identity-management from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
implementing-azure-ad-privileged-identity-management reduced setup friction for our internal harness; good balance of opinion and flexibility.
implementing-azure-ad-privileged-identity-management has been reliable in day-to-day use. Documentation quality is above average for community skills.
showing 1-10 of 31