PIM Access Review templates setup guide

  • Last update on June 9th, 2026

Table of Contents

PIM Access Review templates allow you to configure recurring reviews for privileged access managed through Microsoft Entra Privileged Identity Management (PIM). These templates support the periodic validation of elevated access to help reduce excessive privilege and support internal governance or compliance requirements.

PIM Access Review templates can be used to review scenarios such as:

  • Permanent role assignments
  • Eligible role assignments, including Activated, Time-bound eligible and Permanent eligible role assignments.

Configure Microsoft Entra permissions for PIM access review templates

PIM access review templates require a dedicated Microsoft Entra app registration and specific Microsoft Graph application permissions before they can be used.

The configuration applies only to the following templates:

  • Admin roles with Permanent assignments
  • Admin roles with Eligible assignments

Without this setup, these two templates remain unavailable. Other access review templates are not affected.

Why this configuration is required

Microsoft Entra Privileged Identity Management for directory roles is exposed through Microsoft Graph role management and schedule APIs. To retrieve the data required for these reviews, the platform needs a tenant-approved application identity with access to the relevant role assignment and eligibility schedule data.

Prerequisites

The administrator performing the setup must have sufficient permissions in the tenant to create or manage app registrations and to grant admin consent for application permissions.

Configure the app in Microsoft Entra

Step 1: create an app registration

  1. Sign in to the Microsoft Entra admin center.
  2. Go to “Entra ID” > “App registrations”.
  3. Select “New registration”.
New registration
  1. Enter a meaningful name, for example “CoreView PIM Access Review”.
  2. Under “Supported account types”, select the option appropriate for the tenant. 
  3. Select “Register”.
Register

After registration, the “Application (client) ID” is available on the app “Overview” page.

Step 2: add Microsoft Graph application permissions

  1. Open the new app registration.
  2. Go to “API permissions”.
  3. Select “Add a permission”.
Add a permission
  1. Choose “Microsoft Graph”.
  2. Choose “Application permissions”.
  3. Add the permissions required for these PIM templates.

The required permissions are:

  • RoleAssignmentSchedule.ReadWrite.Directory
  • RoleEligibilitySchedule.ReadWrite.Directory
Add permissions

These permissions are required to retrieve the PIM role assignment and eligibility data used by the two templates.

  1. In “API permissions”, select “Grant admin consent for <tenant name>”.
  2. Confirm the action.
  3. Refresh the page.
  4. Verify that both permissions show the status “Granted”.
Grant admin consent

Step 4: create a client secret

  1. Go to “Certificates & secrets”.
  2. Under “Client secrets”, select “New client secret”.
  3. Enter a description.
  4. Choose the expiration period.
  5. Select “Add”.
Add a client secret

Store client secret

Copy the secret value immediately and store it securely. The secret value is shown only once and is not available again after leaving the page.

Copy secret value
 

Step 5: collect the app details

From the app registration, copy and store the following values:

  • Application (client) ID
  • Client secret value
  • Secret expiration date

Register the app in CoreView

Step 6: open app management

Go to “Settings” > “Organization settings” > “App management”.

This page can also be opened directly from “Access Reviews > Create review from template”. From there, a banner redirects to  “App management” to provide consent. 

Create review from template

In “App management”, a dedicated app entry named “Role assignment management” is available for the PIM access review capability.

Step 7: enter the app details

Populate the form with the following values:

  • Application ID = Application (client) ID
  • Password = Client secret value
  • Expiration date = Secret expiration date

Save the configuration.

Role assignment management

After the configuration is saved, the platform validates whether the required permissions are present and granted.

Consent status may appear as “Granted” in the “Role assignment management” tab only after the next daily full import.

 

Step 8: verify the permission status

In the app management entry, verify that the permission status table shows the required permissions as granted.

Use the PIM Access Review templates

Step 9: create the access review

After the app is configured correctly, the following templates become available in Reviews > Access Reviews > Create review from a template:

  • Admin roles with Permanent assignments
  • Admin roles with Eligible assignments
Create review from template

Note: if the app is missing, incomplete, or the required permissions are not granted, these two templates remain disabled.

 

Related Articles

DID THIS PAGE HELP YOU?