This chapter covers Azure AD Privileged Identity Management (PIM), a critical service for managing, controlling, and monitoring access to privileged roles in Azure AD and Azure resources. For the AZ-500 exam, PIM is a high-yield topic appearing in 10-15% of questions, particularly around role activation, approval workflows, and just-in-time access. Understanding PIM's mechanisms, configuration options, and integration with other Azure AD security features is essential for the Identity and Access domain.
Jump to a section
Imagine a secure office building with a central key cabinet. Every employee has a badge that can open the cabinet, but the keys inside are for sensitive areas like the server room or executive suite. The cabinet has a rule: whenever someone removes a key, they must first specify a reason and a duration (e.g., 'I need the server room key for 2 hours'). The cabinet automatically logs who took which key, when, and why. Crucially, the key is not a physical metal key but a digital code that expires after the set time. Once expired, the code no longer works, even if the employee tries to use it. The cabinet also has an approval workflow: for the most sensitive keys, taking the key requires a second person to approve the request via a separate system. An auditor can later review the entire log to see exactly who accessed what and when. This is exactly how Azure AD Privileged Identity Management (PIM) works: roles are activated on-demand for a limited time, with approval and auditing, rather than users holding permanent privileged access.
What is Privileged Identity Management (PIM)?
Privileged Identity Management (PIM) is an Azure AD service that enables you to manage, control, and monitor access within Azure AD and Azure resources. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions. The core principle is Just-In-Time (JIT) access: instead of users having permanent privileged roles, they can activate those roles on-demand for a limited period.
Why PIM Exists
Permanent privileged role assignments are a significant security risk. If a user's credentials are compromised, the attacker gains persistent high-level access. PIM reduces the attack surface by ensuring that privileged roles are only active when needed. It also provides auditing capabilities to track who used what role and when, which is essential for compliance.
How PIM Works Internally
PIM operates through a combination of Azure AD roles, role assignments, activation requests, and policies. When a user is eligible for a role (i.e., assigned as eligible in PIM), they are not active in that role by default. To use the role, they must activate it by going through a workflow that may require:
Multi-factor authentication (MFA)
Azure AD Conditional Access authentication context
Approval from designated approvers
Justification (reason for activation)
Ticketing system integration (ticket number)
Once activated, the user gets a temporary role assignment that lasts for a specified maximum duration (default 1 hour, configurable up to 24 hours). The user can then perform privileged operations. The role automatically deactivates when the duration expires.
Key Components and Defaults
Eligible assignment: A user is assigned to a role but must activate it before using it.
Active assignment: A user is permanently assigned to a role (not recommended for privileged roles).
Activation duration: The maximum time a role can be active. Default is 1 hour, can be set between 1 and 24 hours.
Approval workflow: Requires one or more approvers to approve activation requests.
MFA on activation: Forces the user to perform MFA when activating a role.
Justification: User must provide a reason for activation.
Ticket information: Optional integration with a ticketing system (e.g., ServiceNow).
Notification: Email notifications to approvers and users upon activation.
Configuration Steps
Enable PIM: PIM is available in Azure AD Premium P2 licenses. Navigate to Azure AD > Identity Governance > Privileged Identity Management.
Discover and manage roles: In PIM, go to Azure AD roles > Roles to see all roles. Select a role (e.g., Global Administrator) and manage settings.
Configure role settings: For each role, you can set:
- Activation maximum duration (hours) - Require MFA on activation - Require approval (add approvers) - Require justification - Require ticket information - Require Azure AD Conditional Access authentication context 4. Assign members: Add users or groups as eligible or active for the role. 5. Approve requests: Approvers can review and approve/deny activation requests in the PIM portal or via email.
Verification Commands and Portal
You can manage PIM via the Azure portal, Microsoft Graph API, or PowerShell. Key PowerShell commands:
# Connect to Azure AD
Connect-AzureAD
# Get a list of role definitions
Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles
# Get role assignments
Get-AzureADMSPrivilegedRoleAssignment -ProviderId aadRoles
# Activate a role (requires user interaction)
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId aadRoles -RoleDefinitionId <roleId> -SubjectId <userId> -Type UserAdd -AssignmentState Active -Duration 1Integration with Related Technologies
PIM integrates with: - Azure AD Conditional Access: You can require a specific authentication context (e.g., 'Require compliant device') during activation. - Azure AD Identity Protection: PIM can use risk-based policies, e.g., require MFA if sign-in risk is medium or high. - Azure AD Privileged Access Groups: You can manage access to Azure AD roles using groups (groups assigned to roles). - Azure Resource PIM: Similar mechanism but for Azure RBAC roles (e.g., Contributor, Owner) at subscription, resource group, or resource level.
Azure Resource PIM vs. Azure AD Role PIM
Azure AD PIM manages roles like Global Administrator, User Administrator, etc. Azure Resource PIM manages Azure RBAC roles like Owner, Contributor, etc. Both follow the same principles but are configured separately.
Approval Workflow Details
When a user requests activation, approvers receive an email notification. They can approve or deny in the PIM portal or via email reply. If no approver acts within the configured approval timeout (default 24 hours), the request expires. The user can see the status of their request.
Auditing
PIM provides a rich audit history:
Role activation history: Who activated what role, when, for how long, and with what justification.
Role assignment changes: Who assigned or removed eligible/active assignments.
Approval activity: Who approved or denied requests.
Audit logs can be exported to Azure Monitor for long-term retention and advanced analysis.
PIM for Groups
Azure AD allows you to use groups to manage role assignments. You can assign a group as eligible for a role, and then manage group membership via PIM. This simplifies role management at scale.
Security Best Practices
Use eligible assignments instead of active for all privileged roles.
Require MFA on activation.
Set activation duration to the minimum necessary (e.g., 1 hour).
Require approval for highly privileged roles (e.g., Global Administrator).
Regularly review privileged role assignments using PIM access reviews.
Monitor PIM audit logs for suspicious activity.
Common Configuration Mistakes
Making roles permanently active instead of eligible.
Not requiring MFA on activation.
Setting activation duration too long (e.g., 24 hours for a sensitive role).
Not configuring approval for critical roles.
Forgetting to assign approvers, causing activation requests to remain pending.
Configure PIM Settings for a Role
Navigate to Azure AD > Identity Governance > Privileged Identity Management > Azure AD roles > Roles. Select a role (e.g., Global Administrator) and click 'Settings'. On the 'Activation' tab, set the maximum activation duration (default 1 hour, max 24 hours). Check 'Require Multi-Factor Authentication' and 'Require justification'. Optionally, require approval by adding one or more approvers. Click 'Update' to save. This step defines the guardrails for how the role can be activated.
Assign Eligible Members to the Role
In the role settings page, go to 'Assignments' and click 'Add assignments'. Select 'Eligible' as the assignment type. Choose a user or group to be eligible for the role. Optionally set a start and end date for the eligibility (permanent if left blank). Click 'Assign'. The user is now eligible but not active. They will need to activate the role when needed.
User Requests Role Activation
The eligible user signs into the Azure portal and navigates to PIM > My roles > Azure AD roles. They see the role they are eligible for and click 'Activate'. They must complete MFA if required, enter a justification, optionally a ticket number, and specify the activation duration (cannot exceed the maximum set in settings). They submit the request. The request is now pending approval if configured.
Approver Reviews and Approves Request
Approvers receive an email notification. They go to PIM > Approve requests. They review the user's justification and other details. They can approve or deny. If approved, the user's role becomes active for the specified duration. If denied, the user is notified. If no action is taken within the approval timeout (default 24 hours), the request expires.
User Performs Privileged Operations
Once activated, the user has the permissions of the role for the duration. They can perform operations like managing other users, resetting passwords, or assigning roles. The user can see their active role in PIM and can deactivate early if desired. The role automatically deactivates after the duration expires. All activity is logged in the PIM audit history.
Enterprise Scenario 1: Global Administrator Access Control
A large enterprise with 50,000 users has 10 Global Administrators. Previously, all had permanent access. A security audit revealed that one admin's credentials were compromised, leading to a breach. The company implements PIM for the Global Administrator role. They configure: activation duration of 2 hours, require MFA and approval from two designated approvers (CISO and IT Director). All Global Administrators are made eligible. Now, to perform sensitive tasks, an admin must request activation, get approved, and use MFA. This reduces the risk of standing privileges. The activation logs are exported to Azure Monitor for SIEM integration. Performance is not an issue as PIM is a control plane service with minimal latency.
Enterprise Scenario 2: Just-in-Time Access for Azure Resources
A DevOps team manages 200 Azure subscriptions. They have Contributor access to many resources. To reduce risk, they use Azure Resource PIM for the Contributor role at the subscription level. Team members are made eligible for Contributor. They activate the role for 4 hours when deploying changes. Approval is required for production subscriptions. This ensures that no one has permanent write access to production. The team uses PIM's API to automate activation during CI/CD pipelines. Common misconfiguration: forgetting to set an expiration for eligible assignments, which can lead to indefinite eligibility. Regular access reviews are scheduled quarterly to clean up stale eligibilities.
What Goes Wrong When Misconfigured
Too long activation duration: Setting max duration to 24 hours for a sensitive role defeats the purpose of JIT. An attacker who compromises an admin could have 24 hours of access.
No MFA: Without MFA, a stolen password is enough to activate a role.
No approval: For high-risk roles, lack of approval means a single user can self-activate without oversight.
Incorrect approver assignment: If no approvers are configured, requests never get approved, causing operational delays. Conversely, if too many approvers are added, approval can be delayed.
Not using groups: Managing individual users as eligible becomes unmanageable at scale. Using groups with PIM simplifies administration.
What AZ-500 Tests on PIM
AZ-500 measures your ability to configure and manage PIM for Azure AD roles and Azure resources. Key objectives under Identity and Access (1.2):
Configure PIM for Azure AD roles and Azure RBAC roles.
Manage role activation settings: duration, MFA, approval, justification.
Configure PIM for groups.
Perform access reviews.
Analyze PIM audit logs.
Common Wrong Answers and Why Candidates Choose Them
'PIM requires Azure AD Premium P1 licenses' – Wrong. PIM requires Azure AD Premium P2 (or EMS E5). P1 does not include PIM.
'PIM can be used to manage Azure RBAC roles only' – Wrong. PIM manages both Azure AD roles and Azure RBAC roles (via Azure Resource PIM).
'Activation duration can be set to any value up to 8 hours' – Wrong. Maximum is 24 hours, default is 1 hour. The exam may test the exact default.
'PIM approvals are required by default' – Wrong. Approval is optional and must be configured per role.
'PIM automatically revokes access after activation' – Partially true but misleading. The role deactivates after the duration, but the user remains eligible. The exam expects understanding of eligible vs. active.
Specific Numbers and Terms
Default activation duration: 1 hour.
Maximum activation duration: 24 hours.
Approval timeout: 24 hours (if no approver acts).
License: Azure AD Premium P2.
Two types of PIM: Azure AD Roles PIM and Azure Resource PIM.
Assignment types: Eligible and Active.
Edge Cases and Exceptions
PIM for groups: You can assign a group as eligible for a role, and then manage group membership via PIM. The exam may ask about this.
PIM with Conditional Access: You can require an authentication context (e.g., 'Require compliant device') during activation. This is a newer feature.
PIM for external users: External guests can be eligible for roles, but they need to activate using their home directory credentials.
How to Eliminate Wrong Answers
If a question says 'PIM is used for...' and lists only Azure RBAC, look for the option that includes both Azure AD and Azure RBAC.
If a question mentions license requirements, remember P2.
If a question asks about default activation duration, remember 1 hour.
If a question asks about approval, remember it must be explicitly configured.
PIM provides just-in-time privileged access to Azure AD and Azure resources.
PIM requires Azure AD Premium P2 licenses.
Default activation duration is 1 hour; maximum is 24 hours.
Eligible assignments require activation; active assignments are permanent.
PIM supports approval workflows, MFA, and justification for activation.
PIM can be used for Azure AD roles and Azure RBAC roles (Azure Resource PIM).
PIM integrates with Conditional Access via authentication context.
Access reviews can be scheduled to review privileged role assignments.
PIM audit logs track all activation and assignment changes.
Groups can be assigned as eligible for roles to simplify management.
These come up on the exam all the time. Here's how to tell them apart.
Eligible Assignment
User must activate the role before using permissions.
No standing access; reduces risk of credential theft.
Activation may require MFA, approval, and justification.
Role is temporary and expires after a set duration.
Recommended for all privileged roles.
Active Assignment
User has permanent access to the role permissions.
Standing access increases risk if credentials are compromised.
No activation step required; user can use role immediately.
Role never expires unless manually removed.
Not recommended for privileged roles; use only for service accounts or emergencies.
Mistake
PIM is only available for Azure AD roles, not Azure resources.
Correct
PIM supports both Azure AD roles (e.g., Global Administrator) and Azure resource roles (e.g., Contributor) via Azure Resource PIM. Both are configured separately.
Mistake
PIM requires Azure AD Premium P1 license.
Correct
PIM requires Azure AD Premium P2 or EMS E5 licenses. P1 does not include PIM functionality.
Mistake
Once a role is activated, it remains active until the user manually deactivates it.
Correct
The role automatically deactivates after the configured activation duration (default 1 hour, max 24 hours). Users can deactivate early, but it is not required.
Mistake
Approval is required for all PIM activations by default.
Correct
Approval is optional and must be explicitly configured in the role settings. By default, no approval is required.
Mistake
PIM can only be used for individual users, not groups.
Correct
PIM supports assigning groups as eligible for roles. Group membership can be managed via PIM as well.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
PIM is Azure's specific implementation of PAM. PAM is a broader category of solutions that manage privileged access. PIM provides just-in-time access, approval workflows, and auditing for Azure AD and Azure resources. Other PAM solutions may cover on-premises systems.
No, PIM is a feature of Azure AD Premium P2. You need P2 licenses for all users who will be eligible for roles or who will approve requests. However, you only need licenses for users who use PIM features, not all users in the tenant.
Navigate to Azure AD > Identity Governance > Privileged Identity Management > Azure resources. Select a subscription or resource, then manage roles like Contributor or Owner. Configure settings and assign eligible members similar to Azure AD roles.
The request will expire after the approval timeout (default 24 hours). The user can submit a new request or contact the approver directly.
Yes, in the role settings you can require an Azure AD Conditional Access authentication context. This allows you to enforce policies like 'Require compliant device' or 'Require approved client app' during activation.
Go to PIM > Azure AD roles > Audit history. You can view role activation requests, approvals, and assignments. You can also export logs to Azure Monitor for longer retention.
Yes, external users can be made eligible for roles. They must activate the role using their home directory credentials and may need to satisfy MFA requirements.
You've just covered Privileged Identity Management (PIM) — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?