This chapter covers Azure AD Privileged Identity Management (PIM), a critical service for managing, controlling, and monitoring privileged access in Azure. PIM is a core component of the Identity and Access Management domain in the AZ-500 exam, representing approximately 15-20% of exam questions related to identity security. You will learn how PIM provides just-in-time (JIT) privileged access, time-bound role activation, and comprehensive auditing to mitigate the risks of standing admin privileges. Mastering PIM is essential for passing the AZ-500 and for securing enterprise Azure environments.
Jump to a section
Imagine a secure office building where employees need access to sensitive areas like the server room. Instead of giving everyone a permanent keycard that works 24/7, the building uses a badge check-out system. An employee who needs to enter the server room must request a special badge from a security kiosk. The request is approved by their manager (or automatically if they have a standing request). The badge is only valid for a specific time window—say, 2 hours. During that time, the employee can enter the server room, but after 2 hours, the badge deactivates. If the employee tries to keep the badge, it won't work. The system logs every check-out, use, and check-in. An auditor can later review who accessed the server room and when. This mirrors Azure AD Privileged Identity Management (PIM): users request just-in-time (JIT) elevation for a role, get approved, receive a time-bound activation, and all actions are audited. Permanent role assignments are like giving everyone a permanent keycard—risky and hard to revoke. PIM eliminates standing admin access, reducing the attack surface.
What is Privileged Identity Management (PIM)?
Azure AD Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization. It provides time-bound and approval-based role activation to minimize the risk of excessive, unnecessary, or misused access permissions. PIM supports Azure AD roles (e.g., Global Administrator, User Administrator) and Azure resource roles (e.g., Owner, Contributor at subscription/resource group/resource scope). It also supports roles for other services like Exchange Online, SharePoint Online, and Security & Compliance Center via Azure AD PIM for groups.
Why PIM Exists
Traditional role assignment in Azure AD is often permanent (standing admin). If a Global Administrator is compromised, the attacker has unrestricted access. PIM reduces this risk by:
Just-in-time (JIT) activation: Users request elevation only when needed.
Time-bound activation: Elevation lasts for a configurable duration (default 1 hour, max 8 hours for Azure AD roles, max 24 hours for Azure resource roles).
Approval workflows: Require one or more approvers to approve activation.
Multi-factor authentication (MFA): Enforce MFA during activation.
Conditional Access: Integration with Azure AD Conditional Access to enforce policies like location or device compliance.
Auditing: Detailed logs of all activation and assignment events.
How PIM Works Internally
PIM uses Azure AD's role management infrastructure. When a user activates a role: 1. The user navigates to the PIM portal or uses the Microsoft Entra admin center. 2. They select the role and provide a reason and duration (within policy limits). 3. If approval is required, the request goes to designated approvers. Approvers can approve or deny via email or the PIM portal. 4. Once approved (or if no approval needed), Azure AD creates a time-bound role assignment for the user. This assignment is stored in the Azure AD directory as a temporary assignment with a start and end time. 5. The user's access token is reissued with the new role claims. The user can now perform privileged operations until the assignment expires. 6. When the assignment expires, Azure AD automatically removes the role assignment. The user's token lifetime may still be valid, but the next token refresh will not include the privileged role.
Key Components, Values, Defaults, and Timers
Activation duration (Azure AD roles): Default 1 hour, configurable from 0.5 to 8 hours. For Azure resource roles, default is 1 hour, max 24 hours.
Maximum activation duration (Azure AD roles): 8 hours. For Azure resource roles: 24 hours.
Approval required: Can be enabled per role. Approvers must be members of the role (or delegated).
MFA on activation: Enforce MFA during activation. Users must register for Azure AD MFA before they can activate.
Justification: Users must provide a reason for activation (free text or from a list).
Ticket information: Optionally require a support ticket number.
Require approval to activate: If enabled, one or more approvers must approve.
Require approval to deactivate: Not applicable; deactivation is automatic on expiry.
Permanent eligible vs active assignment: Eligible means user can activate the role; active means permanently assigned (standing admin). PIM recommends using eligible assignments.
Role assignment expiration: For Azure AD roles, you can set an expiration date for the assignment itself (e.g., 30 days). For Azure resource roles, you can set expiration for the assignment.
Audit history: Stored for up to 30 days in the PIM audit log, but can be exported to Azure Monitor or Log Analytics for longer retention.
Configuration and Verification Commands
PIM is configured via the Microsoft Entra admin center (portal) or via PowerShell/Graph API.
PowerShell (AzureAD module)
# Connect to Azure AD
Connect-AzureAD
# List PIM role definitions
Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles
# Get PIM role assignments
Get-AzureADMSPrivilegedRoleAssignment -ProviderId aadRoles
# Activate a role (requires PIM license)
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId aadRoles -RoleDefinitionId <roleId> -SubjectId <userId> -Type UserAdd -AssignmentState Active -Duration "PT1H" -Reason "Need access for incident"Microsoft Graph API (for programmatic access)
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests
{
"action": "SelfActivate",
"principalId": "user-id",
"roleDefinitionId": "role-id",
"justification": "Need to reset user password",
"scheduleInfo": {
"startDateTime": "2024-01-01T00:00:00Z",
"expiration": {
"type": "afterDuration",
"duration": "PT1H"
}
}
}Azure CLI (limited PIM support)
# List eligible role assignments
az rest --method get --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleEligibilityScheduleInstances"How PIM Interacts with Related Technologies
Azure AD Conditional Access: Can enforce MFA, compliant device, or location during role activation. For example, require activation only from corporate network.
Azure AD Identity Protection: Can detect risky user behavior and trigger PIM to require approval or block activation.
Azure Monitor / Log Analytics: PIM audit logs can be streamed to Azure Monitor for alerting and long-term retention.
Privileged Access Groups (PAG): PIM can be used to manage membership in Azure AD security groups that are assigned to Azure roles (e.g., Owner of a subscription). This allows just-in-time access to Azure resources via group membership.
Microsoft 365 Defender: Integration for advanced threat detection and automated response.
Licensing Requirements
PIM is available with Azure AD Premium P2. Without P2, you can view PIM settings but cannot activate roles. For Azure resource roles, PIM requires Azure AD Premium P2 for the user performing activation. The resource itself does not need P2.
Common Exam Scenarios
JIT vs Standing Access: PIM eliminates standing admin by making users eligible rather than active.
Approval Workflow: Know how to configure approvers (can be multiple, can be delegated).
MFA Requirement: MFA on activation is separate from MFA on sign-in; it's enforced at the time of role activation.
Audit: PIM logs show who activated what role, when, and for how long. Useful for compliance.
PIM for Groups: You can enable PIM for Azure AD security groups, then assign the group to an Azure role. This allows JIT membership in the group, thus JIT access to the role.
Trap Patterns
Wrong duration limits: Azure AD roles max 8 hours, Azure resource roles max 24 hours. Candidates often mix them up.
Permanent assignment vs eligible: Permanent active assignment bypasses PIM activation. The exam will test that PIM is only for eligible assignments.
PIM does not replace MFA: PIM can require MFA during activation, but it does not enforce MFA for regular sign-in.
PIM does not apply to classic subscription admins: Classic subscription co-administrators and service administrators are not managed by PIM; you must convert to RBAC.
Enable PIM for a role
In the Microsoft Entra admin center, navigate to Identity Governance > Privileged Identity Management > Azure AD roles > Roles. Select a role (e.g., Global Administrator) and click 'Settings'. On the settings page, you can configure activation duration, require approval, require MFA, and set whether the role is permanently eligible or active. For Azure resource roles, go to PIM > Azure resources > select resource > Roles > select role > Settings. This step defines the policy for how users can activate that role. The settings are role-specific. You can also enable PIM for groups under PIM > Groups > Select group > Settings.
Assign eligible members
In PIM, under the same role, go to 'Eligible assignments' and click 'Add assignments'. Select a user or group and set a duration for the assignment (e.g., permanent or time-bound). This makes the user eligible to activate the role. The user does not have the role permissions until they activate. For Azure resource roles, you can assign eligible at different scopes (management group, subscription, resource group, resource). The assignment is stored in Azure AD as an eligible assignment. If you assign a group as eligible, all members of that group can activate the role.
User requests activation
The eligible user signs in to the Microsoft Entra admin center, navigates to PIM > My roles > Azure AD roles (or Azure resources). They select the role they want to activate, specify the duration (within policy limits), provide a justification, and optionally a ticket number. If MFA is required, they must authenticate with MFA. If approval is required, the request is submitted to approvers. The user sees a pending status. If no approval is needed, the activation is immediate. The system checks the user's eligibility and whether the activation is within policy (e.g., not exceeding max duration).
Approval process (if enabled)
Approvers receive an email notification or can view pending requests in the PIM portal under 'Approve requests'. They can review the user's justification, the role, and the requested duration. They can approve or deny. If multiple approvers are configured, the policy can require one or all approvers to approve. Once approved, the user's activation is processed. The approval decision is logged. If denied, the user is notified. The approver can also add a reason for denial. The approval workflow can be customized with escalation and timeout settings.
Activation and time-bound access
Upon approval (or if no approval needed), Azure AD creates a time-bound active assignment for the user. The user's existing tokens are not immediately updated; the new role is included in subsequent token refresh. The user can now access resources that require the role. The activation duration starts from the time of activation. The user can deactivate early if they no longer need access. When the duration expires, the active assignment is automatically removed. The user's next token refresh will not include the privileged role. The activation event is logged in the PIM audit log with details: user, role, duration, justification, and approver.
Enterprise Scenario 1: Global Administrator Just-in-Time Access
A large enterprise with 50,000 users has three Global Administrators who perform critical tasks like resetting passwords for other admins or configuring federation. Previously, these admins had permanent Global Admin rights, which posed a huge security risk if their accounts were compromised. The company deployed PIM for the Global Administrator role. Now, the three admins are eligible, not active. When they need to perform a task, they activate the role for 2 hours (max allowed by policy) after providing a ticket number from their IT service management system. Activation requires MFA and approval from a senior admin. The senior admin receives an email and can approve via mobile. All activations are logged and audited monthly. This reduced the attack surface from three standing admins to occasional JIT access. Misconfiguration happened initially when the activation duration was set to 8 hours (the max), but policy was later changed to 2 hours to align with the principle of least privilege. Performance consideration: PIM activation is near-instant, but the token refresh can take up to 5 minutes, so admins are advised to wait a few minutes before attempting privileged operations. Audit logs are retained for 30 days by default, but they are exported to Azure Log Analytics for 1-year retention to meet compliance requirements.
Enterprise Scenario 2: Azure Resource Role Activation for DevOps
A DevOps team manages a production subscription with 100 VMs and several databases. They need Contributor access to deploy updates but should not have permanent Contributor rights. The subscription is added to PIM as an Azure resource. The DevOps team members are made eligible for the Contributor role at the subscription scope. Activation requires MFA and a justification (e.g., 'Deploying hotfix for bug #1234'). The activation duration is set to 4 hours (max allowed for Azure resources is 24 hours). The team uses PIM for groups: they created an Azure AD group 'DevOps-Contributors' and made it eligible for the Contributor role. Then they added users to the group. When a user activates the group membership in PIM, they become a member of the group, which gives them Contributor access. This simplifies management. Common problem: users forget to deactivate, but auto-expiry handles it. Another issue: users sometimes activate the role but then their session token does not have the new role because they didn't refresh. The team now instructs users to sign out and sign back in after activation. Scale: with 20 users activating 2-3 times per week, PIM handles it without performance degradation. Audit logs are reviewed weekly to detect any unusual activation patterns (e.g., activation at 3 AM).
Exactly What AZ-500 Tests on PIM (Objective 1.2)
The AZ-500 exam covers PIM under 'Configure and manage Azure AD identity protection and governance'. Specifically: - 1.2.1 Implement Privileged Identity Management (PIM) for Azure AD roles - 1.2.2 Implement PIM for Azure resource roles - 1.2.3 Configure PIM settings (activation duration, approval, MFA, justification) - 1.2.4 Manage PIM assignments (eligible vs active, permanent vs time-bound) - 1.2.5 Configure PIM alerts and audit
Common Wrong Answers and Why Candidates Choose Them
'PIM requires Azure AD Premium P1' – Wrong. PIM requires P2. Candidates confuse P1 (which includes Conditional Access) with P2.
'PIM can be used to manage classic subscription admins' – Wrong. Classic subscription admins (Service Admin, Co-Admin) are not managed by PIM; they must be converted to RBAC roles first.
'Activation duration for Azure AD roles can be up to 24 hours' – Wrong. For Azure AD roles, max is 8 hours. For Azure resource roles, max is 24 hours. Candidates often mix them up.
'PIM eliminates the need for MFA' – Wrong. PIM can enforce MFA on activation, but it does not replace MFA for regular sign-in.
'PIM assignments are permanent by default' – Wrong. Eligible assignments are time-bound by default (can be permanent, but best practice is time-bound).
Specific Numbers, Values, and Terms Appearing on Exam
Default activation duration: 1 hour
Max activation duration for Azure AD roles: 8 hours
Max activation duration for Azure resource roles: 24 hours
Approval required: Yes/No
MFA on activation: Yes/No
Justification: Required/Not required
Ticket information: Optional
Eligible vs Active assignment
Permanent vs Time-bound assignment
PIM audit log retention: 30 days (can be exported)
Licensing: Azure AD Premium P2
Edge Cases and Exceptions
PIM for groups: You can enable PIM for Azure AD security groups, not for Microsoft 365 groups.
PIM for external users: External users (B2B) can be eligible for roles, but they must have an Azure AD Premium P2 license assigned or use the sponsoring tenant's licenses.
PIM and Conditional Access: Conditional Access policies that apply to the user during activation can block activation if conditions are not met (e.g., not on compliant device).
PIM and Privileged Access Groups: PIM can manage group membership, and the group can be assigned to Azure roles. This allows JIT access to Azure resources via group membership.
PIM does not support custom roles: Only built-in roles are supported for Azure AD roles. For Azure resource roles, both built-in and custom roles are supported.
How to Eliminate Wrong Answers Using Underlying Mechanism
Understand that PIM is about time-bound activation of eligible assignments. If an answer suggests that PIM provides permanent access or that it doesn't require activation, it's wrong. If an answer mentions a duration longer than the max for the role type, it's wrong. If an answer says PIM works for classic admins, it's wrong because PIM works only with Azure AD roles and Azure RBAC roles. If an answer says PIM requires a separate license for each resource, it's wrong; only the user needs P2.
PIM provides just-in-time privileged access, reducing standing admin risk.
PIM requires Azure AD Premium P2 licensing for users activating roles.
Default activation duration is 1 hour; max for Azure AD roles is 8 hours, for Azure resource roles 24 hours.
PIM can enforce MFA and require approval during role activation.
Eligible assignments allow users to activate roles; active assignments are permanent (not recommended).
PIM audit logs are retained for 30 days; can be exported to Azure Monitor.
PIM supports both Azure AD roles and Azure resource roles, as well as groups (Privileged Access Groups).
PIM does not manage classic subscription administrators; they must be converted to RBAC.
Activation is time-bound; users must request elevation each time they need privileged access.
PIM integrates with Conditional Access to enforce additional policies during activation.
These come up on the exam all the time. Here's how to tell them apart.
PIM for Azure AD Roles
Manages built-in Azure AD roles like Global Administrator, User Administrator.
Maximum activation duration is 8 hours.
Supports approval workflows with up to 2 approvers.
Assignments can be scoped to the entire tenant.
Requires Azure AD Premium P2 for the user.
PIM for Azure Resource Roles
Manages Azure RBAC roles like Owner, Contributor at management group, subscription, resource group, or resource scope.
Maximum activation duration is 24 hours.
Supports approval workflows with up to 5 approvers.
Assignments are scoped to the specific Azure resource (e.g., subscription).
Requires Azure AD Premium P2 for the user; the resource does not need a license.
Mistake
PIM can permanently assign roles to users.
Correct
PIM is designed for just-in-time access. While you can create permanent eligible assignments, best practice is to use time-bound assignments. Active assignments (standing admin) are not recommended and are not the primary purpose of PIM.
Mistake
PIM activation duration can be set to any value up to 24 hours for all roles.
Correct
For Azure AD roles, the maximum activation duration is 8 hours. For Azure resource roles, the maximum is 24 hours. The default is 1 hour for both.
Mistake
PIM requires Azure AD Premium P1 license.
Correct
PIM requires Azure AD Premium P2. P1 does not include PIM. This is a common exam trap.
Mistake
PIM can manage classic subscription administrators.
Correct
Classic subscription administrators (Service Administrator and Co-Administrators) are not managed by PIM. You must convert to Azure RBAC roles first.
Mistake
PIM eliminates the need for multi-factor authentication.
Correct
PIM can enforce MFA during role activation, but it does not replace MFA for regular sign-in. MFA on activation is an additional security layer.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An eligible assignment means the user has the potential to activate the role but does not have the role's permissions until they activate. An active assignment means the user has the role's permissions permanently (standing admin). PIM is designed to use eligible assignments to enforce just-in-time access. Active assignments bypass PIM activation and are not recommended. On the exam, remember that PIM is about making roles eligible, not active.
Yes, PIM supports Azure resource roles at management group, subscription, resource group, and resource scope. You add the resource in PIM under 'Azure resources', then configure role settings and assign eligible users. Activation duration for resource roles can be up to 24 hours. This is a key exam point: PIM works for both Azure AD roles and Azure resource roles.
PIM requires Azure AD Premium P2 licenses for users who will activate roles. For Azure resource roles, the user needs P2, but the resource itself does not need a license. For Azure AD roles, the user also needs P2. Without P2, you can view PIM settings but cannot activate. This is a common exam trap: P1 is not enough.
PIM can integrate with Conditional Access to enforce policies during role activation. For example, you can require that activation only occurs from a compliant device or from a specific location. This is configured in the PIM role settings under 'Require Conditional Access'. The Conditional Access policy applies to the user when they activate the role. This adds an extra layer of security.
The default activation duration for both Azure AD roles and Azure resource roles is 1 hour. You can configure it between 0.5 and 8 hours for Azure AD roles, and between 0.5 and 24 hours for Azure resource roles. The exam may ask for the default value, so remember 1 hour.
Yes, PIM can manage membership in Azure AD security groups (Privileged Access Groups). You can enable PIM for a group, then assign the group to an Azure role (e.g., Contributor). Users can then activate group membership in PIM, gaining the role's permissions. This allows JIT access to Azure resources via group membership. This is a newer feature that may appear on the exam.
PIM audit logs are retained for 30 days in the Azure portal. For longer retention, you can export the logs to Azure Monitor or Log Analytics. The exam may ask about the default retention period. Remember: 30 days.
You've just covered Privileged Identity Management for AZ-500 — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?