CMMC Level 2 Entra ID PIM Setup Guide With Audit Evidence Screenshots

If you support a DoD supplier, you already know the hardest part of compliance isn’t buying tools. It’s proving you used them the right way, every time. For CMMC Level 2, privileged access is one of those areas where auditors expect tight controls and clear evidence.

In this guide, I’ll show how I set up Entra ID PIM (Privileged Identity Management) in a Microsoft 365 commercial tenant or Microsoft 365 GCC tenant, with secure defaults and audit-friendly screenshot placeholders you can drop into your evidence package.

I’m writing this for Small Business IT teams that need practical wins, whether you’re juggling Cloud Infrastructure, Office 365 Migration work, Endpoint Security projects, or even Restaurant POS Support and Kitchen Technology Solutions on the side.

Before I touch PIM, I lock in licensing, scope, and evidence

PIM is simple to click through, but it falls apart fast if licensing or scope is fuzzy. First, I align the setup to CMMC Level 2 access control and authentication expectations. Microsoft’s own CMMC guidance is a good compass, especially the Microsoft Entra CMMC Level 2 configuration overview.

What I confirm up front (so PIM doesn’t become shelfware)

I keep this part short, documented, and repeatable, because it supports Business Continuity & Security in real life.

1. Licensing exists for PIM: Entra ID PIM for Entra roles requires Microsoft Entra ID P2 (commonly packaged in Microsoft 365 E5, EMS E5, or Entra ID Governance bundles).
   • [Screenshot: Microsoft 365 admin center > Billing > Your products, showing Microsoft Entra ID P2 or Entra ID Governance]
     Evidence tip: make sure the SKU name, tenant name, and capture date are visible.
2. My “high-privilege roles” list is defined: At minimum, I focus on Global Administrator, Privileged Role Administrator, Security Administrator, Conditional Access Administrator, and Authentication Administrator. Your environment may add Exchange Administrator or SharePoint Administrator.
3. I choose who can manage PIM: I keep the number of Privileged Role Administrators small. I document why each admin needs that capability (CMMC assessors care about intent, not just clicks).
4. I document break-glass accounts: I create two emergency accounts, exclude them from PIM, and store credentials in an approved vault process. These accounts are monitored and used only for true lockout events.
   • [Screenshot: Entra admin center > Identity > Users > breakglass-admin1 > Authentication methods (showing strong auth methods enrolled)]
     Evidence tip: show the account naming convention, disabled day-to-day sign-in patterns (if applicable), and monitoring plan reference.
5. I align with the rest of the stack: PIM is identity control, not a full security plan. I pair it with Device Hardening, Endpoint Security baselines, and Conditional Access rules, plus backup and recovery planning. That mix supports Secure Cloud Architecture and reduces the blast radius when something goes wrong.

This planning step also fits well inside broader Technology Consulting and IT Strategy for SMBs engagements, because it forces decisions that most teams postpone.

Configure Entra ID PIM for Entra roles with secure defaults

Now I configure PIM in the Entra admin center. In GCC, the navigation is usually the same, but I always confirm features in the tenant because government clouds can differ by service availability and rollout timing.

Navigation paths I use in the Entra admin center

• Path to PIM: Entra admin center > Identity Governance > Privileged Identity Management
• Role scope: Privileged Identity Management > Microsoft Entra roles
• [Screenshot: Entra admin center > Identity Governance > Privileged Identity Management landing page]
  Evidence tip: capture the breadcrumb, tenant name, and the left-nav showing you’re in the Entra admin center.

Eligible vs active assignments (the control auditors want to see)

If I had to pick one PIM concept that matters most, it’s this: admins should be eligible, not standing active.

Here’s how I explain it to clients. Eligible is a key on a hook behind glass. Active is the key left in the ignition.

One quick table I include in client documentation:

Assignment type	What it means	Audit-friendly outcome
Eligible	User can activate the role when needed	Least privilege, time-bound access
Active	User always has the role	Higher risk, harder to justify

Takeaway: I reserve “Active” for rare cases, like service accounts that truly require constant privileged access (and even then, I try not to).

My recommended PIM role settings (secure defaults)

For each privileged role, I set role management policies. The path is typically:

Entra admin center > Identity Governance > Privileged Identity Management > Microsoft Entra roles > Roles > (select role) > Settings

Then I configure these defaults:

1. Activation maximum duration: 1 hour for top-tier roles, 2 to 4 hours for lower-risk admin roles.
   • [Screenshot: PIM > Microsoft Entra roles > (Role) > Settings, showing “Maximum activation duration”]
2. Require justification on activation: On.
   • Evidence tip: the screenshot should show the toggle enabled.
3. Require MFA on activation: On (even if Conditional Access already requires MFA).
   • This supports identity assurance expectations found in CMMC Level 2 Identification and Authentication guidance.
4. Require approval to activate: On for high-privilege roles. I use a small approver group, not a person.
   • [Screenshot: (Role) > Settings > Activation, showing “Require approval to activate” enabled and approver group selected]
5. Enable notifications: I notify the activator and the security mailbox (or ticketing mailbox) for both activation and assignment changes.

Gotcha: If you set “Require approval” but pick the wrong role scope (or never finish saving the policy), approvals won’t trigger. I always test with a non-admin eligible user before calling it done.

Approval workflow for high-privilege roles

For Global Administrator and Privileged Role Administrator, I require approval. I also require justification, because it creates a clean paper trail tied to the activation.

Evidence I capture for approvals:

• [Screenshot: PIM > Requests > showing an activation request in “Pending approval” state]
• [Screenshot: PIM > Requests > same request “Approved”, showing approver, timestamp, and role]

This is where PIM aligns cleanly with access control expectations. If you want Microsoft’s view of access control alignment, I reference CMMC Level 2 Access Control configuration guidance when writing the control narrative.

Evidence screenshots, access reviews, and logs (what I hand to an assessor)

A PIM config without evidence is like a locked server room with no camera footage. You might be secure, but you can’t prove it.

Access reviews for privileged roles

I schedule access reviews for privileged role eligibility, especially for roles that tend to grow over time. In many tenants, you can manage this from:

Entra admin center > Identity Governance > Access reviews
(or in some cases) Identity Governance > Privileged Identity Management > Access reviews

• [Screenshot: Identity Governance > Access reviews > New access review, showing scope set to “Microsoft Entra roles” and selected roles]
• [Screenshot: Access review results page, showing reviewers, decisions, and completion status]

If you want a practical walkthrough on the mechanics of review setup and audit outcomes, this article helps: PIM access reviews for privileged roles.

Logging, retention, and exporting to Sentinel or your SIEM

For CMMC, I want a clean story for “who did what, when, and from where.” That means I plan for log retention and export early as part of Cloud Management.

Key locations:

• Entra admin center > Identity > Monitoring & health > Audit logs
• Entra admin center > Identity > Monitoring & health > Sign-in logs

Evidence screenshots I collect:

• [Screenshot: Audit logs filtered to Activity “Add eligible member to role”, showing actor, target role, and timestamp]
• [Screenshot: Audit logs filtered to “Activate eligible role”, showing the activator and result]
• [Screenshot: Sign-in logs for an admin account, showing MFA requirement satisfied and Conditional Access result]

For longer retention and correlation, I export logs to Microsoft Sentinel (or another SIEM) using Diagnostic settings. Depending on your tenant and portal experience, you may configure this in Entra admin center or the Azure portal for Microsoft Entra ID.

Verification steps and common pitfalls I see in the field

My quick verification routine:

1. Activate a role as an eligible user, confirm MFA, justification, and approval (if required).
2. Confirm activation shows in PIM Requests and in Entra Audit logs.
3. Remove an eligible assignment, confirm the removal is logged.
4. Run an access review, confirm decisions and remediation actions are recorded.

Common pitfalls (and what I do about them):

• Missing P2 licensing: PIM options don’t appear or don’t apply correctly. I re-check licensing before troubleshooting anything else.
• Role not governed by the policy you edited: I confirm I edited the policy for the correct role and saved it.
• Approval not triggering: I verify “Require approval” is enabled on the role policy and approvers have the right ability to approve.
• Conditional Access conflicts: If CA blocks the Entra portal or requires a device state your admins can’t meet, activations fail. I tune CA to support admin work while still enforcing strong controls.

This is also where I connect identity controls back to the bigger picture, like Data Center Technology dependencies, Infrastructure Optimization in hybrid environments, and the reality that Digital Transformation projects fail when admins can’t safely administer systems.

Conclusion

When I set up Entra ID PIM for CMMC Level 2, I treat it like a security control and an evidence generator. Time-bound activation, approvals, access reviews, and exported logs give you a clear story that holds up under scrutiny. If you want help aligning PIM with your broader Cybersecurity Services program, including Managed IT for Small Business, Tailored Technology Services, and Office 365 Migration planning, I’m happy to act as your long-term Business Technology Partner for practical, accountable Innovative IT Solutions.