This chapter covers Azure Privileged Identity Management (PIM), a key service for managing, controlling, and monitoring privileged access to Azure resources. PIM is part of the Microsoft Entra (formerly Azure AD) family and is a critical tool for identity security. On the AZ-900 exam, this topic falls under Objective 2.5: Describe identity, governance, privacy, and compliance features. Identity and access management topics typically account for 10-15% of the exam questions. Understanding PIM is essential because it addresses the principle of least privilege and helps organizations reduce the risk of privilege escalation attacks. This chapter will explain what PIM is, how it works, its key features, and how it compares to other Azure identity services.
Jump to a section
Imagine a bank vault that stores the most sensitive assets—like the master keys to every safety deposit box. Normally, no one has access to these keys; they sit in a time-locked compartment. Only when an authorized employee (the ‘privileged user’) requests access does the vault initiate a multi-step verification: the employee must justify why they need the keys, the request is logged, and a manager must approve it. Once approved, the vault grants access for a limited time—say, 30 minutes—after which the keys automatically return to the locked compartment. The employee cannot extend access without repeating the process. Crucially, the vault also requires periodic ‘certification’—every quarter, managers must review and confirm who still needs keys. If an employee leaves or changes roles, their access is revoked automatically. This time-lock mechanism prevents standing access, reduces the risk of key misuse, and provides a full audit trail. Azure Privileged Identity Management (PIM) works exactly like this: it provides just-in-time privileged access to Azure AD roles and Azure resources, with approval workflows, time-bound activation, and regular access reviews.
What is Privileged Identity Management (PIM)?
Privileged Identity Management (PIM) is a service in Microsoft Entra ID (formerly Azure Active Directory) that enables you to manage, control, and monitor access to important resources in your organization. These resources include Azure AD roles (like Global Administrator, User Administrator) and Azure resources (like subscriptions, resource groups, and individual resources like virtual machines). The core problem PIM solves is the over-assignment of permanent, standing privileged roles. In traditional on-premises environments, administrators often had permanent access to high-privilege accounts, creating a significant security risk if those accounts were compromised. PIM introduces just-in-time (JIT) privileged access, meaning users get the rights they need only when they need them, for a limited time, and with approval if required.
How PIM Works: Step by Step
PIM operates on several key mechanisms:
Activation: A user who is eligible for a role must activate it when they need to perform privileged tasks. Activation typically requires multi-factor authentication (MFA), a business justification, and possibly approval from designated approvers.
Time-bound access: Once activated, the role is granted for a configurable duration (e.g., 1 hour). After that, the role assignment expires automatically.
Approval workflows: For highly sensitive roles, organizations can require that an activation request be approved by one or more approvers before access is granted.
Audit and monitoring: All activations and assignments are logged, providing a complete audit trail. PIM also generates alerts for suspicious activities.
Access reviews: Administrators can schedule periodic reviews of who still needs privileged access. Reviewers confirm or deny continued eligibility, and stale assignments are removed.
Key Components of PIM
Eligible vs. Active assignments: A user can be made eligible for a role (meaning they can activate it when needed) or active (permanently assigned). Best practice is to use eligible assignments for all privileged roles.
Role settings: Each role has configurable settings, including activation duration, maximum duration, whether MFA is required, whether approval is required, and who the approvers are.
Privileged access groups: PIM can also manage access to Azure AD security groups that are used for privileged access, allowing just-in-time membership.
Azure resource roles: PIM supports not only Azure AD roles but also Azure RBAC roles for managing Azure resources like subscriptions, resource groups, and individual resources.
PIM Tiers and Licensing
PIM is available with Microsoft Entra ID P2 licenses, which are part of Enterprise Mobility + Security E5 and Microsoft 365 E5. Without P2 licenses, PIM features are limited. Specifically:
Microsoft Entra ID Free: No PIM features.
Microsoft Entra ID P1: Limited PIM features (e.g., no approval workflows, no access reviews).
Microsoft Entra ID P2: Full PIM capabilities including JIT activation, approval workflows, access reviews, and alerts.
Comparison to On-Premises Equivalent
In on-premises Active Directory, privileged access management was often handled by manually assigning permanent group memberships (e.g., Domain Admins). There was no built-in JIT activation or approval workflow. Additional third-party tools (like CyberArk) were needed to achieve similar functionality. PIM brings this capability natively to the cloud, integrating with Azure AD and Azure resources.
Azure Portal and CLI Touchpoints
To use PIM, you navigate to the Microsoft Entra admin center (https://entra.microsoft.com) > Identity > Governance > Privileged Identity Management. From there, you can manage Azure AD roles, Azure resources, and privileged access groups. For automation, you can use Microsoft Graph API or PowerShell cmdlets. For example, to activate a role via PowerShell:
# Example: Activate an Azure AD role using PIM
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -ResourceId 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy' -RoleDefinitionId 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' -SubjectId 'zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz' -Type 'UserAdd' -AssignmentState 'Active' -Duration 'PT1H' -Reason 'Need access for incident response'For Azure CLI, you can use az rest with Microsoft Graph endpoints:
# Example: Activate a role using Azure CLI with Microsoft Graph
az rest --method post --url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentScheduleRequests" --body '{"action":"selfActivate","principalId":"user-id","roleDefinitionId":"role-id","directoryScopeId":"/","justification":"Need for troubleshooting","scheduleInfo":{"startDateTime":"2024-01-01T00:00:00Z","expiration":{"type":"AfterDuration","duration":"PT1H"}}}'Business Scenario Example
Consider a large enterprise with 50,000 employees. The Global Administrator role is extremely powerful — it has full access to all Azure AD settings and can reset passwords, change policies, and more. Without PIM, if an attacker compromises a Global Admin account, they have unlimited access. With PIM, the Global Admin role is assigned as eligible to only 5 IT staff. When they need to perform a task, they must activate the role via PIM, which requires MFA and approval from a senior security officer. The activation lasts only 2 hours, after which the role is deactivated. This drastically reduces the attack surface and provides a detailed audit log of who did what and when.
Summary of PIM Benefits
Least privilege: Users only have access when needed.
Just-in-time: Access is time-bound and automatically expires.
Approval workflows: Adds an extra layer of security for sensitive roles.
Audit trail: All activations are logged for compliance.
Access reviews: Periodic recertification ensures only authorized users retain eligibility.
Alerts: Suspicious activities trigger notifications.
Enable PIM for your tenant
To start using PIM, you need Microsoft Entra ID P2 licenses assigned to all users who will be eligible for privileged roles. Navigate to the Microsoft Entra admin center, go to Identity > Governance > Privileged Identity Management, and select 'Azure AD roles' or 'Azure resources'. The first time you access PIM, it will automatically set up the service. You may need to assign the 'Privileged Role Administrator' role to users who will manage PIM settings. Behind the scenes, Azure creates a service principal for PIM and configures the necessary policies.
Configure role settings
For each Azure AD role (e.g., Global Administrator), you can define settings such as activation maximum duration (default 1 hour, max 8 hours), whether MFA is required on activation, whether approval is required, and who the approvers are. You can also set whether to require a ticket number or justification. These settings are stored in the PIM policy for that role. It's important to set a reasonable duration—too short may interrupt work, too long increases risk. Default settings are a good starting point, but organizations should tailor them to their security needs.
Make users eligible for roles
Instead of permanently assigning a role, you assign a user as 'eligible' for the role. This means they don't have the role active until they request activation. To do this, go to PIM > Azure AD roles > Assignments > Add assignments. Select the role, choose the user, and set assignment type to 'Eligible'. You can also set a start and end date for the eligibility (e.g., 90 days). This ensures that even eligibility is time-bound. The user will see the role in their 'My roles' portal and can activate it when needed.
Activate a role as a user
When a user needs to perform a privileged task, they go to the PIM portal (or use the Azure portal) and navigate to 'My roles'. They select the eligible role and click 'Activate'. The system may prompt for MFA (if configured), then ask for a reason and optionally a ticket number. If approval is required, the request is sent to the designated approvers. The user sees the status as 'Pending approval'. Once approved, the role becomes active for the configured duration. The user can now perform administrative tasks. The activation is logged with a timestamp, duration, and reason.
Review and approve activation requests
Approvers receive notifications (email or in-portal) when a request is pending. They go to PIM > Approve requests and review the details: user, role, justification, and time. They can approve or deny. If approved, the role is activated immediately. If denied, the user is notified. Approvers should verify the request is legitimate—e.g., check if the user has a valid ticket. This step ensures that even if a user's account is compromised, the attacker cannot activate a role without approval. The approval history is also logged for auditing.
Set up access reviews
To maintain least privilege, schedule periodic access reviews for privileged roles. In PIM, go to 'Access reviews' and create a new review. Select the role(s) to review, choose reviewers (e.g., the user's manager or a security team), set the frequency (e.g., monthly, quarterly), and the duration. When the review starts, reviewers receive a notification. They review each user and mark 'Approve' or 'Deny'. If denied, the user's eligibility is removed automatically. Access reviews are critical for compliance (e.g., SOX, GDPR) and prevent privilege creep.
Scenario 1: Global Admin Access in a Large Enterprise
A multinational corporation with 10,000 employees has five Global Administrators who manage the entire Azure AD tenant. Previously, these admins had permanent Global Admin rights. After a security audit, the company implemented PIM. Now, the admins are made eligible for Global Admin. When they need to perform tasks like resetting a password or changing a policy, they must activate the role via PIM, which requires MFA and approval from the IT security director. The activation lasts for 2 hours. This change reduced the attack surface significantly: if an admin's credentials are stolen, the attacker cannot activate the role without approval. The company also set up quarterly access reviews to ensure only current employees remain eligible. The cost is the Microsoft Entra ID P2 licenses for the five admins (approx. $9 per user/month). A common mistake is not configuring approval for Global Admin—some organizations skip this to avoid friction, but this defeats the purpose of PIM. When set up incorrectly (e.g., no MFA required), a compromised account could still activate the role, leading to a breach.
Scenario 2: Managing Azure Resource Permissions for Developers
A software company uses Azure resources (virtual machines, databases, storage accounts) for development. Developers need Contributor access to specific resource groups, but only during active development sprints. Previously, they were permanently assigned Contributor, which meant they could accidentally delete resources. The company used PIM for Azure resources to grant eligible Contributor access. Developers activate the role when they start work each day, and it expires after 8 hours. This ensures that after hours, no one has persistent write access. The team also set up approval for high-risk actions like deleting resource groups. The result: fewer accidental deletions and better security. The cost is P2 licenses for the developers (approx. $9/user/month). A common misconfiguration is setting the activation duration too long (e.g., 8 hours) without approval, which still leaves a window for misuse. Best practice is to set the shortest practical duration and require approval for destructive actions.
Scenario 3: Third-Party Vendor Access
A financial services firm hires external auditors who need temporary read-only access to Azure AD audit logs and Azure resource configurations. Without PIM, the firm would have to create permanent guest accounts with permanent roles, which is a security risk. Using PIM, the auditors are invited as guest users and made eligible for the 'Security Reader' role. They activate the role only when performing the audit, with a 4-hour duration and approval from the compliance officer. After the audit, their eligibility expires automatically based on a set end date. This provides a clean audit trail and ensures access is revoked when no longer needed. The firm saves time on manual cleanup and reduces the risk of lingering access. A pitfall is not setting an expiration on eligibility, which could allow the auditor to reactivate later. Proper configuration includes a definite end date for the eligibility assignment.
AZ-900 Objective 2.5: Describe identity, governance, privacy, and compliance features
On the AZ-900 exam, you will be tested on the high-level capabilities and benefits of PIM, not on how to configure it step by step. The exam expects you to know:
What PIM is: A service that provides just-in-time privileged access to Azure AD and Azure resources.
Key features: Time-bound access, approval workflows, MFA on activation, access reviews, and audit logs.
Licensing: Requires Microsoft Entra ID P2 licenses.
Common use cases: Reducing standing admin access, meeting compliance requirements, monitoring privileged actions.
Common Wrong Answers and Why Candidates Choose Them
"PIM is the same as Azure AD Privileged Identity Management (PIM) for Azure resources." – This is actually true, but candidates often confuse it with Azure RBAC. PIM manages Azure RBAC roles, but it is not the same as RBAC itself. The exam may ask: "Which service provides just-in-time access to Azure resources?" Some candidates answer "Azure RBAC" instead of "PIM." Remember: RBAC defines roles, PIM manages activation of those roles.
"PIM requires Azure AD Premium P1 licenses." – Many candidates think P1 is enough, but full PIM features (approval workflows, access reviews) require P2. P1 only provides limited PIM (e.g., no approvals). The exam may list P1 as a distractor.
"PIM eliminates the need for MFA." – Wrong. PIM actually enforces MFA on activation for better security. Candidates may think PIM replaces MFA, but it adds an extra layer.
"PIM is only for Azure AD roles, not Azure resources." – This is false. PIM supports both Azure AD roles and Azure resource roles (subscription, resource group, resource level). The exam may test this distinction.
Specific Terms and Values That Appear on the Exam
Just-in-time (JIT) access: The core concept.
Eligible vs. Active assignment: Know the difference.
Activation duration: Default 1 hour, maximum 8 hours.
Access reviews: Periodic recertification of privileged access.
Approval workflow: Required for some roles.
License: Microsoft Entra ID P2 (or Azure AD Premium P2).
Edge Cases and Tricky Distinctions
PIM vs. Identity Governance: PIM is a subset of Microsoft Entra Identity Governance. The exam may ask which service provides access reviews – that's PIM (or Identity Governance, but PIM is the specific tool).
PIM vs. Privileged Access Workstations (PAW): PAW is a separate security concept (dedicated devices for admin tasks). PIM is about time-bound roles.
PIM for groups: PIM can manage membership in Azure AD security groups, not just roles. This is a newer feature that may appear.
Memory Trick
Think "PIM = Pass In Minutes" – privileged access is temporary (passes in minutes). Remember the key features: JIT, MFA, Approval, Time-bound, Reviews. Acronym: JAM-TR (Just-in-time, Approval, MFA, Time-bound, Reviews).
PIM provides just-in-time privileged access to Azure AD roles and Azure resources.
PIM requires Microsoft Entra ID P2 licenses (formerly Azure AD Premium P2).
Key features: time-bound activation, MFA enforcement, approval workflows, access reviews, and audit logs.
PIM reduces the risk of standing admin access and helps meet compliance requirements.
Eligible assignments mean users can activate roles only when needed.
Activation duration defaults to 1 hour, maximum 8 hours.
PIM is part of Microsoft Entra Identity Governance.
These come up on the exam all the time. Here's how to tell them apart.
Privileged Identity Management (PIM)
Provides just-in-time access to roles
Requires Microsoft Entra ID P2 license
Includes approval workflows and access reviews
Manages activation of privileged roles
Supports both Azure AD and Azure resource roles
Azure Role-Based Access Control (RBAC)
Defines roles and permissions permanently
Available with all Azure subscriptions (free)
No built-in approval or review workflows
Assigns roles directly to users/groups
Only for Azure resources (not Azure AD roles)
Mistake
PIM is a separate Azure service that requires additional licensing beyond Azure AD.
Correct
PIM is a feature of Microsoft Entra ID P2. You do not need a separate subscription; you just need P2 licenses for users who will use PIM.
Mistake
PIM only works for Azure AD roles, not for Azure resource roles like Contributor or Owner.
Correct
PIM supports both Azure AD roles and Azure resource roles (via Azure RBAC). You can manage just-in-time access to subscriptions, resource groups, and individual resources.
Mistake
Once a user activates a role via PIM, they have that role permanently until deactivated manually.
Correct
PIM activation is time-bound. After the configured duration (e.g., 1 hour), the role automatically deactivates. No manual deactivation is needed.
Mistake
PIM eliminates the need for multi-factor authentication (MFA) because it already provides secure access.
Correct
PIM actually enforces MFA during activation. It does not replace MFA; it adds an additional security layer.
Mistake
PIM is only useful for large enterprises; small businesses don't need it.
Correct
Any organization with Azure AD and privileged roles can benefit from PIM. Even small businesses should avoid permanent admin accounts to reduce risk.
Azure AD roles are built-in or custom roles that define permissions (e.g., Global Administrator). PIM is a service that manages the activation of those roles on a just-in-time basis. Without PIM, roles are permanently assigned. With PIM, users are made eligible and must activate the role when needed, with optional approval and time limits.
Yes, PIM requires Microsoft Entra ID P2 licenses for all users who will be eligible for privileged roles. These licenses are part of Enterprise Mobility + Security E5 or Microsoft 365 E5. There is no separate PIM service cost.
Yes, PIM supports Azure resource roles. You can manage just-in-time access to Azure resources at the subscription, resource group, or resource level using Azure RBAC roles. For example, you can make a user eligible for Contributor on a specific resource group.
If an activation request is denied by the approver, the user is notified via email and in the PIM portal. The user does not receive the role. The denied request is logged for auditing. Users can resubmit with additional justification if needed.
Access reviews are scheduled periodic reviews of users who are eligible for privileged roles. Reviewers (e.g., managers) review each user and approve or deny their continued eligibility. If denied, the user's eligibility is removed automatically. This ensures only authorized users retain access.
Yes, PIM can be used for guest users in Azure AD. Guest users can be made eligible for Azure AD roles just like internal users. This is useful for external auditors or partners who need temporary privileged access.
You can configure PIM to not require MFA on activation, but this is not recommended. The exam expects you to know that MFA is a key security feature of PIM. Best practice is to always require MFA for activation.
You've just covered Privileged Identity Management (PIM) — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?