This chapter covers Privileged Identity Management (PIM) in Azure AD, a critical component of identity governance that enables just-in-time privileged access, time-bound role assignments, and approval workflows. For the AZ-305 exam, PIM is a key topic under domain 'Identity Governance' (objective 1.1), and questions frequently appear on its capabilities, configuration, and how it differs from other Azure AD features. Expect roughly 10-15% of exam questions to touch on PIM or related identity governance concepts, often integrated with Azure AD roles, Azure resource roles, and conditional access policies.
Jump to a section
Imagine a high-security corporate headquarters. Every employee has a permanent badge that grants access to their usual floor. But the server room, executive wing, and data center require special clearance. Instead of giving a permanent key to everyone who might occasionally need access, the security office uses a 'Privileged Access Manager.' When a network engineer needs to enter the server room, they request a guest pass through an app. The manager checks if the request is approved (by their supervisor or automatically based on rules). If approved, the engineer gets a temporary badge that works only for a specific door, for a set time (e.g., 4 hours). The badge is activated immediately upon approval, and the engineer must use it within a window. After the time expires, the badge deactivates automatically. The manager also requires the engineer to provide a reason for entry (justification) and may require a second form of ID (multi-factor authentication). Crucially, the engineer cannot give their badge to someone else; it's tied to their identity. The manager keeps a log of every access request, approval, and usage. If the engineer tries to access a different restricted area with the same badge, the door rejects it. This mirrors Azure AD Privileged Identity Management (PIM): just-in-time activation, time-bound roles, approval workflows, multi-factor authentication, and audit logs. Permanent privileged access is like giving everyone a master key – dangerous and unnecessary. PIM replaces standing admin access with temporary, auditable permissions.
What is Privileged Identity Management (PIM)?
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. This includes access to Azure AD roles, Azure resources (such as subscriptions, resource groups, and individual resources), and other Microsoft online services like Exchange Online or SharePoint Online. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions.
PIM addresses the problem of 'standing privileges' – where users have permanent, always-on admin roles. If an attacker compromises such a user, they immediately gain full access. PIM replaces standing admin roles with just-in-time (JIT) activation: users are eligible for a role but must activate it only when needed, for a limited duration, and often with approval and multi-factor authentication (MFA).
How PIM Works Internally
PIM operates on top of Azure AD's directory service. When a user is assigned as 'eligible' for a role, that assignment is stored in Azure AD as an entitlement. However, the user does not have the role's permissions until they activate it. Activation involves the following:
The user navigates to the PIM portal (or uses the Azure AD PowerShell/Graph API) and requests activation for a specific role.
The activation request includes a reason (justification), and optionally a custom start time and duration (subject to administrator-defined maximums).
If MFA is required (strongly recommended), the user must authenticate via Azure AD MFA before the request proceeds.
If an approval workflow is configured, the request is sent to designated approvers (usually members of the Privileged Role Administrator role). The request waits in a pending state until approved or denied.
Once approved (or if no approval is needed), Azure AD activates the role by adding the user to the role's membership for a specific time window. The user's token is updated to include the role's permissions. The activation is logged in the Azure AD audit logs.
The role automatically expires after the defined duration (default is 8 hours for Azure AD roles, configurable up to 24 hours). No manual deactivation is required.
Key Components, Values, and Defaults
- Role Types: PIM supports two types of roles: - Azure AD roles: Directory-level roles like Global Administrator, User Administrator, etc. - Azure resource roles: Built-in roles like Owner, Contributor, Reader, or custom roles at subscription/resource group/resource scope. - Assignment Types: - Eligible: User can activate the role when needed. - Active: User has permanent, always-on access (not recommended). - Time-bound: Active assignment with a specific end date (e.g., for temporary elevated access). - Activation Settings: - Maximum activation duration (in hours): Default 8 hours for Azure AD roles; for Azure resources default 1 hour. Configurable between 1 and 24 hours. - Require MFA on activation: Enabled by default for Azure AD roles. - Require approval: Optional; if enabled, one or two approvers can be configured. - Require justification: Always required. - Require ticket information: Optional; can require a ticket number. - Approval Workflow: Approvers are users who are themselves eligible or active for the Privileged Role Administrator role (or custom approver groups). Approvals can be delegated. - Audit History: PIM retains a log of all activations, approvals, and role changes for up to 30 days in the Azure portal. - PIM for Groups: PIM can also manage eligibility for Azure AD security groups that are assigned to roles (role-assignable groups).
Configuration and Verification Commands
PIM is primarily managed through the Azure portal (Azure AD > Privileged Identity Management) or via Microsoft Graph API and Azure AD PowerShell. Key PowerShell cmdlets:
# Get eligible assignments for a user
Get-AzureADMSPrivilegedRoleAssignment -ProviderId 'aadRoles' -Filter "userId eq 'user@domain.com'"
# Activate a role
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -ResourceId 'roleId' -SubjectId 'userId' -Type 'UserAdd' -AssignmentState 'Active' -Duration 'PT8H' -Reason 'Need for incident'
# Approve a request
Approve-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -RequestId 'requestId' -Reason 'Approved'For Azure resources, use:
# Get eligible assignments for Azure resource role
Get-AzureADMSPrivilegedResource -ProviderId 'azureResources' -Filter "externalId eq '/subscriptions/...'"Interaction with Related Technologies
Azure AD Conditional Access: PIM activation can be subject to Conditional Access policies, e.g., requiring a compliant device or specific location. However, PIM's own MFA requirement is separate from Conditional Access.
Azure AD Identity Protection: PIM can be integrated with Identity Protection to detect risky sign-ins during activation.
Azure AD Privileged Access Groups: PIM can manage eligibility for groups, which in turn have Azure AD roles or Azure resource roles assigned.
Azure Policy: PIM can be used to enforce just-in-time access for Azure resources, complementing Azure Policy's governance.
Microsoft 365 Defender: PIM alerts can be sent to Defender for Cloud for security monitoring.
Activation Process Flow
User initiates activation in PIM portal.
PIM checks if MFA is required – if yes, user completes MFA.
User provides justification (and optionally ticket number).
If approval is configured, request is sent to approvers. Approvers receive email notification.
Approver reviews and approves/denies. If multiple approvers, all must approve (if configured).
Once approved (or if no approval needed), Azure AD activates the role: the user's token is refreshed to include the role.
The role remains active for the configured duration. The user can deactivate early if needed.
Upon expiration, the role is automatically deactivated. No further action required.
Important Timers and Defaults
Maximum activation duration: For Azure AD roles, default 8 hours, max 24 hours. For Azure resource roles, default 1 hour, max 24 hours.
Approval request expiry: If not acted upon, the request expires after the configured maximum activation duration (the approver cannot approve after that time).
Audit log retention: 30 days in the Azure portal; can be exported to storage for longer retention.
MFA session: After MFA, the session is valid for the activation duration; re-MFA is not required for same role activation within that session.
PIM vs. Other Azure AD Features
Azure AD Roles vs. PIM: Azure AD roles provide permanent assignment; PIM adds eligibility and activation.
Azure AD Privileged Access Groups: These are groups that can be assigned to roles; PIM can manage eligibility for these groups.
Azure AD Access Reviews: Access reviews can periodically review active assignments, complementing PIM's JIT approach.
Azure AD Identity Governance: PIM is a core component of Azure AD's identity governance suite, along with entitlement management and access reviews.
Security Considerations
Emergency Access Accounts: Microsoft recommends maintaining two emergency access accounts with permanent Global Administrator role (break-glass accounts) that are not managed by PIM (to avoid lockout).
Least Privilege: PIM enables the principle of least privilege by granting temporary access only when needed.
Audit: All activations are logged; use alerts for suspicious activations.
Exam Traps
Trap: PIM can manage all Azure AD roles. Reality: PIM can manage all built-in and custom Azure AD roles, but only those that are directory roles. It does not manage application roles or roles in other Microsoft services directly.
Trap: PIM requires Azure AD Premium P2. Correct: PIM requires Azure AD Premium P2 license for users who are eligible or active for roles. Azure AD Premium P1 is insufficient.
Trap: PIM automatically enforces MFA for all role activations. Reality: MFA is optional but highly recommended. It is enabled by default for Azure AD roles but can be disabled.
Trap: PIM activation provides permanent access. Reality: Activation is time-bound; after expiry, access is revoked.
Trap: PIM works for Azure resource roles without any extra configuration. Reality: PIM for Azure resources must be onboarded (discovery) before roles can be managed.
Summary of PIM Capabilities
Just-in-time privileged access.
Time-bound role assignments.
Approval workflows.
Multi-factor authentication enforcement.
Justification and audit trail.
Notifications and alerts.
Role activation with custom duration.
Support for Azure AD roles and Azure resource roles.
Integration with Azure AD Identity Protection and Conditional Access.
PIM is a foundational service for identity governance in Azure AD, and its proper design is critical for securing privileged access in any organization.
Configure PIM for Azure AD roles
Navigate to Azure AD > Privileged Identity Management > Azure AD roles. Select a role (e.g., Global Administrator). In the 'Settings' tab, configure activation parameters: set maximum activation duration (default 8 hours), require MFA, require approval, and justification. Assign users as 'Eligible' via the 'Assignments' tab. This step defines the policy for how users can activate the role. The activation duration must be between 1 and 24 hours. If approval is enabled, you must select approvers (users who are Privileged Role Administrators or custom approvers). MFA is enforced at the time of activation, not at sign-in.
User requests activation
The eligible user signs into the Azure portal and navigates to PIM > My roles > Azure AD roles. They click 'Activate' for the role. A pane appears requiring justification (mandatory) and optionally a ticket number and custom start time. The user must also pass MFA if configured. The request is then submitted. The user sees the status as 'Activating' or 'Pending approval'. If no approval is required, the role is activated immediately. The user's token is refreshed to include the role's permissions. The activation duration starts from the moment of activation (or custom start time).
Approval workflow
If approval is required, the request enters a pending state. Approvers receive an email notification. They navigate to PIM > Approve requests. They review the request details: user, role, justification, and activation duration. They can approve or deny. If multiple approvers are configured, all must approve (depending on settings). The request expires if not acted upon within the maximum activation duration. Once approved, the role is activated. The approver can also add a reason for their decision. All actions are logged in the audit log.
Role activation and usage
Once activated, the user has the role's permissions for the specified duration. The user can perform privileged tasks. The activation is recorded in the Azure AD audit logs and PIM audit history. The user can view their active roles in PIM and can deactivate early if desired. The role's permissions are effective immediately; no sign-out required. The user's existing sessions may need to refresh tokens to acquire new permissions. The activation is scoped to the specific role and resource (e.g., directory-wide for Azure AD roles).
Automatic deactivation
When the activation duration expires, the role is automatically deactivated. The user loses the permissions. No manual action is needed. The deactivation is logged. If the user needs the role again, they must reactivate (subject to the same policies). The system ensures that no standing privileged access remains. The deactivation is handled by Azure AD's internal timer. If the user's token is still valid, the permissions may persist until token refresh, but Azure AD services enforce the role membership change promptly.
Enterprise Scenario 1: Global Admin Access for Incident Response
A large financial services company has a team of 10 IT administrators who occasionally need Global Administrator access to respond to critical security incidents. Previously, all 10 had permanent Global Admin roles, creating a high-risk standing privilege. The company deploys PIM for Azure AD roles. They create a custom role 'Incident Responder' with only necessary permissions (via custom roles) but also use Global Admin as a last resort. They configure PIM to require MFA, approval from two designated security managers, and a maximum activation duration of 4 hours. The justification must include an incident ticket number. In production, when an incident occurs, the admin requests activation via the PIM portal. The request triggers an email to the security managers, who approve within minutes. The admin then has Global Admin for 4 hours. After the incident, the role expires automatically. This reduces the attack surface significantly. The company also uses PIM alerts to notify the SOC of any activation outside business hours. A common issue is that admins forget to deactivate early, but the automatic expiry handles it. Performance is not an issue as PIM is a control plane service with minimal latency.
Scenario 2: Azure Resource Role Management for DevOps
A SaaS company uses Azure resources across multiple subscriptions. Developers need Contributor access to specific resource groups for deployment, but only during deployment windows. The company uses PIM for Azure resources. They onboard each subscription into PIM and configure roles like 'Contributor' at the resource group scope. Developers are made eligible for these roles. Activation requires MFA and justification with a build number. Maximum duration is set to 2 hours. The deployment pipeline (Azure DevOps) uses the PIM REST API to activate the role programmatically before deployment and deactivate after. This eliminates standing Contributor access. In production, the pipeline calls the Graph API to activate the role, waits for activation (which may require approval), then runs deployment. After deployment, it deactivates. A misconfiguration could occur if the pipeline does not deactivate, but the timer handles it. The company also uses PIM to manage access to production subscriptions with stricter approval.
Common Pitfalls
Not onboarding Azure resources: PIM for Azure resources requires explicit onboarding per subscription or management group. Failure to do so results in roles not appearing.
Overly long activation durations: Setting maximum duration to 24 hours for all roles reduces security benefit.
Ignoring MFA: Disabling MFA on activation weakens security. Attackers can activate roles if they compromise credentials.
Approval bottlenecks: If approvers are not available, critical activations are delayed. Use multiple approvers and consider emergency escalation.
Not using break-glass accounts: Organizations that rely solely on PIM may get locked out if the last eligible admin cannot activate. Maintain two permanent Global Admin accounts (with strong authentication) as break-glass.
Scale and Performance
PIM scales to tens of thousands of users and roles. Activation requests are processed in seconds. The audit log retains 30 days of history; for longer retention, export to Log Analytics or storage account. PIM is a global service with no regional constraints.
What AZ-305 Tests on PIM
The AZ-305 exam (designing identity governance solutions) includes questions on PIM under objective 1.1: 'Design a solution for identity governance'. Specifically, you must be able to:
Recommend when to use PIM vs. other Azure AD features.
Design PIM configuration for Azure AD roles and Azure resource roles.
Determine licensing requirements (Azure AD Premium P2).
Understand activation settings: duration, MFA, approval, justification.
Differentiate between eligible and active assignments.
Know PIM's role in just-in-time (JIT) access and privileged access management.
Common Wrong Answers and Why Candidates Choose Them
'PIM requires Azure AD Premium P1' – Many candidates confuse P1 and P2. PIM is a P2 feature. P1 includes Conditional Access but not PIM.
'PIM can be used to assign permanent roles' – While you can assign 'active' roles via PIM, the primary purpose is eligibility and JIT. The exam expects you to recommend PIM for temporary access, not permanent.
'PIM replaces Azure AD roles' – PIM is an overlay; it does not replace Azure AD role assignments. It adds activation logic.
'PIM automatically requires approval for all roles' – Approval is optional and must be configured per role. Default is no approval.
'PIM activation provides access to all Azure resources' – PIM for Azure resources is scoped to specific resources/subscriptions. Not all resources are covered unless onboarded.
Specific Numbers and Terms That Appear Verbatim
Default activation duration: 8 hours for Azure AD roles, 1 hour for Azure resources.
Maximum activation duration: 24 hours (configurable).
License: Azure AD Premium P2.
MFA: Required by default for Azure AD roles.
Approval: Can require 1 or 2 approvers.
Break-glass accounts: Two permanent Global Admin accounts.
Edge Cases and Exceptions
PIM does not support Azure AD B2B guest users for role activation? Actually, PIM does support guest users (if they are eligible), but they must have appropriate licenses.
PIM for Azure resources requires the resource to be in Azure AD tenant. All Azure subscriptions are in the same tenant.
PIM cannot manage classic subscription administrators? Classic admins (Service Admin, Co-Admin) are not managed by PIM; they must be migrated to RBAC.
PIM activation for Azure resource roles may take a few minutes to propagate. Typically immediate but some services may have delay.
How to Eliminate Wrong Answers
If a question asks for 'just-in-time access', immediately think PIM.
If licensing is mentioned, remember PIM requires P2.
If the scenario requires 'approval workflow' or 'time-bound access', PIM is the answer.
If the question says 'permanent assignment', the answer is not PIM but regular RBAC.
If the question involves 'access reviews', that's a separate feature (Azure AD Access Reviews), not PIM.
Exam Tips
Read the question carefully: Is it asking for a design to reduce standing privileges? Then PIM.
Pay attention to license requirements: P1 vs P2 is a common distractor.
Remember that PIM can be used for Azure AD roles AND Azure resource roles.
Know that PIM activation can be automated via API for DevOps scenarios.
Understand that PIM does not replace the need for emergency access accounts.
PIM enables just-in-time privileged access for Azure AD roles and Azure resource roles.
PIM requires Azure AD Premium P2 licenses for all users who are eligible or active for PIM-managed roles.
Default activation duration is 8 hours for Azure AD roles and 1 hour for Azure resource roles, configurable up to 24 hours.
Activation can require MFA, approval (1 or 2 approvers), and justification.
PIM does not replace the need for emergency break-glass accounts (two permanent Global Admins).
PIM for Azure resources requires onboarding each subscription or management group.
Audit logs are retained for 30 days in the Azure portal; export for longer retention.
PIM supports role activation via Microsoft Graph API for automation.
PIM is part of Azure AD Identity Governance along with Access Reviews and Entitlement Management.
PIM can manage eligibility for Azure AD security groups that are assigned to roles (role-assignable groups).
These come up on the exam all the time. Here's how to tell them apart.
Privileged Identity Management (PIM)
Users are eligible and must activate roles just-in-time.
Supports approval workflows and MFA on activation.
Time-bound activation with automatic expiry.
Requires Azure AD Premium P2 license.
Provides audit logs for all activations.
Azure AD Roles (permanent assignment)
Users have permanent, always-on role assignments.
No activation step; permissions are always present.
No automatic expiry; manual removal required.
Available with Azure AD Premium P1 or Free? (Permanent assignment is free but limited).
Audit logs only for assignment changes, not usage.
Mistake
PIM can manage all Azure AD roles, including custom roles.
Correct
PIM can manage all built-in and custom Azure AD roles, as long as they are directory roles. There is no limitation on custom roles. However, PIM does not manage roles in other Microsoft services like Exchange Online admin roles directly; those are managed via Azure AD roles that grant access to those services.
Mistake
PIM requires Azure AD Premium P1 license.
Correct
PIM requires Azure AD Premium P2 license for users who are eligible or active for PIM-managed roles. P1 does not include PIM. This is a common exam trap.
Mistake
PIM automatically enforces MFA for all role activations.
Correct
MFA is optional and can be configured per role. It is enabled by default for Azure AD roles but can be disabled. For Azure resource roles, MFA is not enabled by default. Administrators should explicitly enable it for security.
Mistake
PIM activation provides permanent access until manually deactivated.
Correct
PIM activation is time-bound with a configurable maximum duration (default 8 hours for Azure AD roles, 1 hour for Azure resources). After the duration expires, the role is automatically deactivated. Users can also deactivate early, but automatic expiry ensures no standing privileges.
Mistake
PIM for Azure resources works automatically for all subscriptions.
Correct
PIM for Azure resources must be explicitly onboarded per subscription or management group. Until discovered, roles in those resources are not visible in PIM. This is a common oversight in deployments.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
PIM requires Azure AD Premium P2 licenses. Each user who will be eligible for or have active assignments managed by PIM must have a P2 license. This includes both the users who activate roles and the approvers (if they are also eligible). Azure AD Premium P1 does not include PIM. For Azure resource roles, the same P2 license requirement applies. Organizations can purchase P2 licenses for a subset of users (e.g., only administrators).
Yes, PIM supports Azure resource roles. You can manage eligibility for built-in roles like Owner, Contributor, Reader, or custom roles at the subscription, resource group, or resource level. To use PIM for Azure resources, you must first onboard the subscription or management group into PIM. After onboarding, you can configure eligibility and activation settings for those roles. This allows just-in-time access to Azure resources.
PIM can require MFA when a user activates a role. This is separate from MFA at sign-in. When MFA is required, the user must complete MFA (e.g., via Microsoft Authenticator, phone call, or SMS) during the activation process in the PIM portal. The MFA session is typically valid for the duration of the activation. This ensures that even if a user's primary credentials are compromised, an attacker cannot activate a role without also passing MFA.
An 'eligible' assignment means the user has the potential to use the role but must activate it to gain permissions. An 'active' assignment means the user has permanent, always-on access to the role without needing activation. PIM's primary benefit is using eligible assignments to reduce standing privileges. Active assignments are sometimes used for short-term temporary access (e.g., for a specific project) with an end date. The exam expects you to recommend eligible assignments for just-in-time access.
Yes, PIM supports guest users (B2B collaboration users) as eligible for roles, provided they have the appropriate Azure AD Premium P2 license assigned (either via their home tenant or via the resource tenant's licensing). Guest users can activate roles just like internal users, subject to the same policies (MFA, approval, etc.). This is useful for granting external consultants temporary admin access.
PIM activation can be subject to Conditional Access policies. For example, you can create a policy that requires a compliant device or a specific location when a user activates a role. However, PIM's own MFA requirement is separate from Conditional Access. Conditional Access policies apply to the user's sign-in, while PIM MFA is enforced at activation time. Both can be used together for defense in depth. Note that PIM activation itself is not a Conditional Access signal; the policy applies to the user's session.
If the approval request is not acted upon within the maximum activation duration (configurable, default 8 hours for Azure AD roles), the request expires automatically. The user will need to submit a new request. There is no manual escalation; administrators can configure multiple approvers to reduce delays. For critical roles, consider using a shorter activation duration and ensuring approvers are on-call.
You've just covered Privileged Identity Management Design — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?