Set Up Azure DevOps PIM Access with Just-In-Time Role Activation
Admin roles in Azure DevOps hold powerful permissions, from editing pipelines to managing repositories and service connections. Leaving these roles permanently assigned increases the risk of accidental changes or unauthorized access.
To reduce this risk, Microsoft recommends using just-in-time (JIT) access through Azure AD Privileged Identity Management (PIM). This ensures that users only elevate to roles like Project Collection Administrator (PCA) when needed, and for a limited time.
In this guide, you’ll learn how to configure PIM access for Azure DevOps based on Microsoft’s official setup, using security groups and conditional role activation.
1. Pre-Requirements
Before you start, make sure:
- Your Azure DevOps organization is connected to Azure AD
- You have an Azure AD Premium P2 license
- You have admin rights to create groups, assign permissions, and enable PIM
- The users involved are internal Azure AD members (not guest accounts)
2. Create a Security Group in Azure AD
This group will be used to manage PIM-based access to Azure DevOps.
Steps:
- Go to the Azure Portal and open Azure Active Directory
- Navigate to Groups < + New Group
- Select Security as the group type
- Set a name like AzureTalks
- Keep Membership type as Assigned
- Click Create
3. Enable PIM on the Group
To manage the group with PIM, you must enable privileged access.
Steps:
- In Azure AD, go to Azure AD Privileged Identity Management
- Select Enable Azure AD PIM for this group to start.
- Click Azure AD roles < Groups
- Locate your new group and click it
- If not already enabled, click Enable PIM and wait for confirmation
4. Assign Users as Eligible Members
Now assign users as eligible (not active) members of the group.
Steps:
- In the group’s PIM page, click Eligible Assignments
- Choose Add assignments
- Select users to add
- Set the assignment type to Eligible
- Click Assign
These users will be able to request access only when needed.
5. Configure PIM Activation Settings
You can set additional rules for role activation.
Settings Options:
- Require approval: Choose a user (e.g., team lead) to approve requests
- Require justification: Ask users to provide a reason
- Enforce MFA: Require MFA at activation time
- Activation duration: Set the access time window (e.g., 1 hour)
Configure these settings by clicking the group in PIM < Settings < Member
6. Add the Group to Azure DevOps Admin Role
Now link the group to the Project Collection Administrators role in Azure DevOps.
Steps:
- Go to https://dev.azure.com
- Click Organization Settings < Permissions
- Select Project Collection Administrators
- Click + Add
- Search for and select the Azure AD group you created (PIM-AzDO-Admins)
- Save your changes
Now, only users who activate access through PIM will have PCA permissions.
7. Test Activation Flow (User + Approver)
User Activation:
- User signs into Azure Portal
- Goes to Azure AD < PIM < My Roles
- Under Groups, clicks Activate
- Provides justification (if required) and clicks Activate
Approver Flow (if configured):
- Approver opens Azure AD < PIM < Approve Requests
- Reviews request and clicks Approve or Deny
Once approved, the user appears in the PCA role in Azure DevOps for the set time.
8. Validate Access in Azure DevOps
To confirm access was granted:
- Go to Organization Settings < Permissions
- Open Project Collection Administrators
- Ensure the user shows up only while the role is active
When the activation expires, the user is removed automatically.
Conclusion
I hope this guide helped you follow Microsoft’s exact setup for managing Azure DevOps admin access through PIM. This method gives your team flexibility to activate roles when needed, while keeping your environment secure and audit-ready.
Once set up, this approach also scales to other sensitive roles like Build or Release Admins. And the best part it’s built into Microsoft’s security framework, so you can rely on it with confidence.