This chapter covers Azure AD Privileged Identity Management (PIM), a critical service for managing, controlling, and monitoring privileged access to Azure resources and Azure AD roles. For the AZ-104 exam, PIM is part of Domain 1.1 (Manage identities in Azure AD) and typically appears in 5-10% of questions. You will learn how PIM enables just-in-time access, approval workflows, and access reviews to reduce the attack surface of privileged accounts. Mastering PIM is essential for passing the exam and for implementing least-privilege security in real-world Azure environments.
Jump to a section
Imagine a large office building where only the building manager has keys to every room, including the server room, CEO's office, and janitor's closet. The manager carries these keys 24/7. If the keys are lost or stolen, a thief can access any room at any time. This is like permanent privileged access in Azure AD—risky and hard to revoke. Now consider a different system: a secure key cabinet that requires the manager to request access via a smartphone app, state a reason, and get approval from a supervisor. The manager can only open the cabinet during specific hours, and the key is automatically returned after 4 hours. The cabinet logs every access attempt, including who approved it and why. If the manager tries to take the server room key at 2 AM without approval, the cabinet denies access and alerts security. This is exactly how Privileged Identity Management (PIM) works: just-in-time (JIT) access, approval workflows, time-bound roles, and audit logs. PIM ensures that privileged roles are activated only when needed, for a limited duration, and with full accountability—eliminating the risk of standing admin privileges that can be exploited by attackers or insiders.
What is Privileged Identity Management (PIM)?
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions. It is a key component of Identity Governance in Azure AD.
PIM supports two types of roles: - Azure AD roles (e.g., Global Administrator, User Administrator) – these control access to Azure AD itself. - Azure resource roles (e.g., Owner, Contributor on a subscription, resource group, or resource) – these control access to Azure resources like VMs, storage accounts, etc.
PIM is available in Azure AD Premium P2 licensing. Without P2, you cannot use PIM.
Why PIM Exists – The Problem of Standing Admin Access
In traditional environments, users are assigned permanent (standing) admin roles. This creates several security risks:
If an admin account is compromised, the attacker has unlimited access forever.
Admins may retain access after they no longer need it (e.g., after a project ends).
No audit trail of when and why privileged actions were performed.
PIM solves this by providing just-in-time (JIT) access: users are assigned eligibility for a role, but they must activate it for a limited time when needed. Activation can require approval, multi-factor authentication (MFA), and a business justification.
How PIM Works – The Activation Flow
Eligible Assignment: An administrator configures a user as eligible for a role (e.g., Contributor on a subscription). The user does not have active permissions until they activate.
Activation Request: When the user needs to perform privileged tasks, they navigate to the PIM portal (or use the Azure AD Roles and Administrators blade) and request activation. They must provide:
- Duration (default max is 8 hours, configurable up to 24 hours) - Reason (justification) - Ticket number (optional) - MFA challenge (if required by policy) 3. Approval (if configured): If the role requires approval, the request is sent to designated approvers. Approvers can review the request details and approve or deny. If no approval is required, activation proceeds immediately after MFA. 4. Activation: Once approved (or if auto-approved), the user's role becomes active for the requested duration. Azure AD issues a temporary token with the role's permissions. 5. Deactivation: When the duration expires, the role is automatically deactivated. The user can also deactivate manually earlier. 6. Audit: All activation requests, approvals, and deactivations are logged in the Azure AD audit logs and PIM-specific audit history.
Key Components and Configuration
#### Assignment Types - Eligible: User can activate the role when needed. - Active: User is permanently assigned the role (like traditional assignment). PIM still tracks active assignments but they are not JIT. - Time-bound: Assignments can have a start and end date (e.g., for temporary contractors).
#### Activation Settings (per role) - Activation maximum duration: Default 8 hours, max 24 hours. - Require approval: On/Off. If on, you must select approvers (up to 5 users/groups). - Require MFA: On/Off. Recommended to be on for all privileged roles. - Require justification: On/Off. Recommended on. - Require ticket information: On/Off. - Require approval to deactivate: Not common, but can be configured.
#### Notification Settings - Notifications can be sent to approvers, requestors, and admins when a request is pending, approved, or denied. - You can configure email notifications, but also use Azure Monitor alerts for advanced scenarios.
#### Access Reviews - PIM can automatically review role assignments periodically (e.g., every 30, 60, 90 days). - Reviewers can be members or guests, and they approve or deny continued access. - Results are automatically applied: denied assignments are removed. - Access reviews help enforce least-privilege and compliance requirements.
Azure AD Roles vs. Azure Resource Roles in PIM
Azure AD Roles:
Manage access to Azure AD itself.
Examples: Global Administrator, User Administrator, Exchange Administrator.
PIM for Azure AD roles is configured in the Azure AD portal under "Roles and administrators" > "Privileged Identity Management".
Activation is for the entire Azure AD tenant.
Azure Resource Roles:
Manage access to Azure resources (subscriptions, resource groups, resources).
Examples: Owner, Contributor, Reader, or custom roles.
PIM for Azure resources is configured per resource (e.g., subscription) in the Azure portal under "Privileged Identity Management".
Activation can be scoped to a specific resource.
Interaction with Other Azure AD Features
Conditional Access: PIM can be integrated with Conditional Access policies. For example, you can require that activation only be allowed from a compliant device or specific location.
Identity Protection: PIM can be used to elevate access for Identity Protection administrators.
Entitlement Management: PIM is part of Identity Governance; entitlement management handles access packages, while PIM handles JIT activation.
Azure AD Audit Logs: All PIM events are recorded in the Azure AD audit logs, which can be exported to Log Analytics or SIEM tools.
Default Values and Timers
Activation maximum duration: 8 hours (default), configurable up to 24 hours.
Approval timeout: If approver does not respond within a configurable time (default 24 hours), the request expires.
Access review recurrence: default 30 days, but can be 7, 14, 30, 60, 90 days, or quarterly.
MFA challenge: required every time activation is requested (not cached).
Verification and Commands
While the AZ-104 exam does not require PowerShell commands, knowing the following cmdlets can deepen understanding:
# Get eligible assignments for a user
Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -Filter "subjectId eq 'user-object-id'"
# Activate a role
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId "aadRoles" -ResourceId "tenant-id" -RoleDefinitionId "role-id" -SubjectId "user-id" -Type "UserAdd" -AssignmentState "Active" -Duration "PT8H" -Reason "Need to reset user password" -TicketNumber "INC123"Licensing Requirements
PIM requires Azure AD Premium P2 licenses for all users who will activate roles (i.e., eligible users).
Users who are only approvers or reviewers do not need P2 licenses.
For Azure resource roles, P2 is also required for each user who activates.
If you have 100 users who might activate roles, you need 100 P2 licenses.
Common Misconfiguration Traps
Not enabling MFA: This is a common oversight. Without MFA, an attacker who steals credentials can activate roles.
Setting too long activation duration: Default 8 hours is already long; some organizations set 4 hours or less. Exam may test that max is 24 hours.
Not configuring approval for highly privileged roles: Global Administrator should always require approval.
Using active assignment instead of eligible: This defeats the purpose of PIM. The exam may present a scenario where an admin sets active assignment thinking it's JIT.
Exam-Relevant Numbers
Maximum activation duration: 24 hours (default 8 hours).
Maximum number of approvers per role: 5.
Access review recurrence options: 7, 14, 30, 60, 90 days, or quarterly.
PIM requires Azure AD Premium P2.
PIM supports Azure AD roles and Azure resource roles (not Azure AD joined devices).
Configure PIM for Azure AD Roles
Navigate to Azure AD > Roles and administrators > Privileged Identity Management. Select a role (e.g., Global Administrator). Under Settings, configure activation settings: set maximum duration (e.g., 4 hours), require MFA, require justification, and optionally require approval. Add approvers (up to 5). Then assign users as eligible for the role. This step prepares the role for JIT activation.
User Requests Activation
The eligible user signs into the Azure portal, goes to Azure AD > Roles and administrators > My roles, or directly to the PIM portal. They select the eligible role and click Activate. They must provide duration (within the allowed max), reason, and optionally a ticket number. If MFA is required, they must complete MFA challenge. The request is submitted.
Approval Process (if configured)
If the role requires approval, the request appears in the approver's PIM portal under Approve requests. Approvers review the request details (user, reason, duration, ticket). They can approve or deny. If approved, the user is notified. If no approval is configured, the request is auto-approved after MFA.
Role Activation and Usage
Once approved, the user's role becomes active for the specified duration. Azure AD issues a token with the role's permissions. The user can now perform privileged actions (e.g., reset passwords, manage subscriptions). The activation is logged in audit logs.
Automatic Deactivation or Manual Deactivation
When the activation duration expires, the role is automatically deactivated. The user can also manually deactivate earlier via the PIM portal. After deactivation, the user no longer has the role's permissions. Any tokens cached may persist for up to the token lifetime (typically 1 hour), so permissions are not instantly revoked.
Enterprise Scenario 1: Help Desk with Temporary Admin Access
A large enterprise has a help desk team that occasionally needs to reset user passwords or manage group memberships. Instead of giving them permanent User Administrator access, the company uses PIM. Help desk agents are made eligible for the User Administrator role with a 4-hour activation window, requiring MFA and a ticket number. When an agent needs to reset a password, they activate the role, perform the task, and deactivate. This reduces the risk of rogue password resets and provides an audit trail. Misconfiguration: if the activation duration is set too long (e.g., 24 hours), an agent might forget to deactivate, leaving a window of vulnerability. The solution is to enforce a shorter duration and require approval for critical roles.
Scenario 2: Global Administrator Access for Emergency Break Glass
An organization has break-glass accounts for emergency Global Administrator access. These accounts are stored in a secure vault and are used only when primary admins are unavailable. Using PIM, the break-glass accounts are assigned as eligible for Global Administrator with a 1-hour activation duration, requiring approval from two designated security officers. When an emergency occurs, the user activates the role, gets dual approval, and performs the necessary recovery actions. After 1 hour, access is automatically removed. This ensures that even break-glass accounts do not have standing privileges. Common pitfall: not configuring MFA for break-glass accounts because they are considered emergency-only. However, PIM can require MFA even for emergency accounts (using a hardware token or phone call).
Scenario 3: Contractor Access to Azure Resources
A software vendor needs temporary Contributor access to a specific resource group for a 3-month project. The vendor's lead developer is made eligible for the Contributor role on that resource group, with a 8-hour activation duration, requiring approval from the project manager and a justification. Access reviews are configured every 30 days to ensure the contractor still requires access. After the project ends, the eligible assignment is removed. This prevents lingering access. Performance considerations: PIM adds a slight delay (seconds) for activation, but this is acceptable for non-emergency access. Misconfiguration: if the resource scope is too broad (e.g., entire subscription), the contractor could accidentally modify other resources. Always scope to the minimum necessary resource.
AZ-104 Exam Focus on PIM
Objective Code: Domain 1.1 – Manage identities in Azure AD. Specifically, the exam tests your ability to "configure and manage Azure AD Privileged Identity Management" including assignment types, activation settings, approval workflows, and access reviews.
Common Wrong Answers and Why Candidates Choose Them: 1. "PIM is available with Azure AD Premium P1" – Wrong. Candidates confuse PIM with basic role-based access control (RBAC). PIM requires P2. The exam tests licensing requirements. 2. "Active assignment is the same as eligible assignment" – Wrong. Active assignment gives permanent access; eligible requires activation. The exam may describe a scenario where an admin assigns a user as "active" thinking it's JIT – this is incorrect. 3. "You can set activation duration to 48 hours" – Wrong. Maximum is 24 hours. Candidates may think longer durations are allowed for convenience. 4. "PIM only supports Azure AD roles, not Azure resource roles" – Wrong. PIM supports both. The exam may ask which roles can be managed by PIM; answer is both.
Specific Numbers and Terms:
Activation max duration: 24 hours (default 8 hours)
Number of approvers per role: up to 5
Access review recurrence: 7, 14, 30, 60, 90 days, quarterly
Licensing: Azure AD Premium P2 for eligible users
Terms: "Eligible assignment", "Active assignment", "Just-in-time", "Access review"
Edge Cases and Exceptions:
PIM for Azure resources: You can configure PIM at subscription, resource group, or resource level. The exam may ask about scope.
PIM and MFA: MFA is required at activation, not at initial login. So a user may log in without MFA but must do MFA to activate a role.
Approval notifications: If an approver does not respond within the timeout (default 24 hours), the request expires. Candidates may think it auto-approves.
Guest users: Guest users can be assigned eligible roles in PIM, but they must have Azure AD P2 license or be covered by the organization's P2 licenses.
How to Eliminate Wrong Answers:
If a question asks about reducing standing admin access, the answer is always PIM with eligible assignments, not active assignments.
If licensing is mentioned, remember P2 is required for users who activate.
If duration is mentioned, remember max 24 hours.
If approval is mentioned, remember that approval is per role setting, not per user.
Always look for keywords: "just-in-time", "eligible", "activate", "time-bound".
PIM requires Azure AD Premium P2 licenses for users who activate roles.
Eligible assignments require activation; active assignments are permanent.
Activation maximum duration is 24 hours (default 8 hours).
Up to 5 approvers can be configured per role for approval workflows.
MFA is required at activation time, even if user already signed in with MFA.
Access reviews can recur every 7, 14, 30, 60, 90 days, or quarterly.
PIM supports both Azure AD roles and Azure resource roles.
All activation events are logged in Azure AD audit logs.
These come up on the exam all the time. Here's how to tell them apart.
PIM with Eligible Assignment
Requires activation to gain permissions
Time-bound activation (max 24 hours)
Supports approval workflows
Supports just-in-time access
Reduces standing admin access risk
PIM with Active Assignment
Provides permanent access without activation
No time limit (unless set with start/end date)
Does not require approval for activation
Not just-in-time; access is always on
Increases risk of privilege abuse
Mistake
PIM is available with Azure AD Premium P1 licensing.
Correct
PIM requires Azure AD Premium P2 licenses for all users who will activate roles. P1 only provides basic RBAC and conditional access, not PIM.
Mistake
An active assignment in PIM is the same as an eligible assignment because both can be tracked.
Correct
An active assignment grants permanent access without activation, similar to traditional RBAC. An eligible assignment requires the user to activate the role for a limited time. Only eligible assignments provide just-in-time access.
Mistake
PIM only works for Azure AD roles, not for Azure resource roles.
Correct
PIM supports both Azure AD roles (e.g., Global Administrator) and Azure resource roles (e.g., Contributor on a subscription). You can configure PIM for any Azure resource that supports RBAC.
Mistake
Once a role is activated, it remains active until the user manually deactivates it.
Correct
The role is automatically deactivated after the activation duration expires. Users can also deactivate manually, but automatic deactivation ensures no indefinite access.
Mistake
MFA is only required at initial sign-in, not at role activation.
Correct
MFA for PIM is enforced at the time of activation, not at sign-in. Even if the user already signed in with MFA, they must complete MFA again when activating a privileged role.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An eligible assignment means the user has the right to activate the role when needed, but does not have active permissions until they do. An active assignment grants the role permanently without any activation step. For just-in-time access, use eligible assignments.
No. PIM requires Azure AD Premium P2 licenses for all users who will activate roles. Users who are only approvers or reviewers do not need P2 licenses. Without P2, you cannot configure or use PIM.
The maximum activation duration is 24 hours. The default is 8 hours. You can configure any value up to 24 hours per role in the activation settings.
Yes. PIM supports Azure resource roles at the subscription, resource group, or resource level. You can configure PIM for any Azure resource that has RBAC roles.
Access reviews allow administrators to periodically review role assignments. You can configure reviews to recur every 7, 14, 30, 60, 90 days, or quarterly. Reviewers approve or deny each assignment. Denied assignments are automatically removed.
The request expires after a configurable timeout (default 24 hours). The user must submit a new request. It does not auto-approve.
Yes, guest users can be made eligible for roles in PIM, provided they have an Azure AD P2 license or are covered by the organization's P2 licensing. They can activate roles just like internal users.
You've just covered Privileged Identity Management (PIM) — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?