This chapter covers Privileged Identity Management (PIM) for administrators, a critical component of identity governance in Microsoft 365. PIM enables just-in-time (JIT) privileged access, reducing the risk of standing admin privileges. For the MS-102 exam, questions on PIM appear frequently—approximately 10-15% of the Identity Access domain—covering activation policies, approval workflows, and how PIM integrates with Azure AD roles and Azure resources. Mastering this topic is essential for securing privileged identities in a hybrid environment.
Jump to a section
Imagine a high-security building where only a few trusted managers have keys to the vault. However, instead of carrying the vault key at all times, they must request it from a secure key locker when needed. The key locker is automated: when a manager submits a request, it checks their identity, confirms they are authorized, and then dispenses the key for a limited time—say, one hour. After that hour, the key is automatically returned and cannot be reused. The locker also logs every request: who asked, when, for how long, and what they accessed. If a manager tries to keep the key past the allotted time, an alarm triggers and the key is revoked. This system prevents keys from being lost, stolen, or misused. In the same way, Privileged Identity Management (PIM) in Azure AD provides just-in-time (JIT) privileged access to Azure AD roles and Azure resources. Administrators do not have permanent privileged roles; instead, they activate eligible roles only when needed, for a predefined duration, with approval workflows and auditing. This minimizes the attack surface and ensures that privileged operations are always monitored and time-bound.
What is Privileged Identity Management (PIM)?
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that helps you manage, control, and monitor access to important resources in your organization. It provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions. PIM supports Azure AD roles (e.g., Global Administrator, Exchange Administrator) and Azure resource roles (e.g., Owner, Contributor on subscriptions, resource groups, or individual resources).
Why PIM Exists
Traditionally, administrators were assigned permanent privileged roles. This created a security risk: if an admin's credentials were compromised, an attacker would have persistent elevated access. PIM addresses this by requiring users to activate their role assignment only when needed, for a limited time, often with approval from another admin. This aligns with the principle of least privilege and Zero Trust security models.
How PIM Works Internally
PIM relies on Azure AD's identity governance engine. The core flow involves:
Eligible Assignment: An admin assigns a user to a role as 'eligible' rather than 'active'. The user does not have the role's permissions until they activate it.
Activation Request: The user requests activation via the Azure portal, Microsoft Entra admin center, or Microsoft Graph API. The request includes a reason and, if required, a ticket number.
Policy Evaluation: PIM checks the activation policy for the role. Policies define:
- Activation maximum duration (default 8 hours, configurable from 1 to 24 hours for Azure AD roles; for Azure resources, up to 24 hours). - Require approval (yes/no). - Require multifactor authentication (MFA) on activation. - Require conditional access authentication context. - Require ticket information. 4. Approval (if required): If approval is required, the request goes to designated approvers. Approvers can approve or deny via email, the Azure portal, or Microsoft Graph. The request expires if not acted upon within the approval timeout (default 24 hours). 5. Activation: Once approved, the user's role assignment becomes active for the specified duration. Azure AD adds the user to the role's active members list for that time. 6. Audit Logging: All activation events, approvals, and denials are logged in the PIM audit history and Azure AD audit logs. 7. Deactivation: When the activation duration expires, PIM automatically deactivates the role. The user can also deactivate manually. In rare cases, an admin can force deactivation.
Key Components, Values, Defaults, and Timers
Eligible vs Active Assignment: Eligible means the user can activate the role; active means they have the role permanently (not recommended for privileged roles).
Activation Maximum Duration: For Azure AD roles, default is 8 hours, configurable between 1 and 24 hours. For Azure resource roles, default is 8 hours, max 24 hours.
Approval Required: Default is 'No' for Azure AD roles; must be explicitly enabled. For Azure resource roles, approval is not supported for all roles (only for custom roles or specific settings).
MFA on Activation: Default is 'Enabled' for Azure AD roles. Users must register for Azure AD MFA before they can activate.
Justification: Users must provide a reason for activation (mandatory). An option to require a ticket number can be enabled.
Approval Timeout: The request expires if not approved within 24 hours (configurable via policies).
Maximum Active Assignments: For Azure AD roles, a user can have only one active activation at a time per role (unless they have multiple eligible assignments to different roles).
Role Settings: Each role has its own settings, but you can apply default settings to all roles.
Configuration and Verification Commands
PIM is configured primarily through the Azure portal or Microsoft Graph API. Key PowerShell cmdlets (AzureADPreview module) include:
# Install module (if not already)
Install-Module -Name AzureADPreview
Connect-AzureAD
# Get a list of PIM role definitions
Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles
# Get eligible assignments for a user
Get-AzureADMSPrivilegedRoleAssignment -ProviderId aadRoles -Filter "subjectId eq 'user-object-id'"
# Activate a role (use Graph API or portal)
# No direct PowerShell cmdlet for activation; use Invoke-RestMethod with GraphUsing Microsoft Graph:
POST https://graph.microsoft.com/v1.0/privilegedRoleAssignmentRequests
Content-Type: application/json
{
"roleId": "role-id",
"type": "UserAdd",
"assignmentState": "Active",
"schedule": {
"startDateTime": "2025-04-07T12:00:00Z",
"endDateTime": "2025-04-07T20:00:00Z"
},
"reason": "Need to reset user password"
}Interaction with Related Technologies
Azure AD Identity Protection: Can trigger risk-based policies that require PIM activation to be blocked if user risk is high.
Conditional Access: Can require authentication context (e.g., 'Require MFA' or 'Require approved client app') during activation.
Privileged Access Groups (PAG): PIM can manage eligibility for Azure AD security groups used for privileged access.
Azure AD Roles: PIM manages eligibility for built-in and custom Azure AD roles.
Azure Resource Roles: PIM manages just-in-time access to Azure resources (subscriptions, resource groups, etc.) using similar activation workflows.
Entitlement Management: PIM works with entitlement management for access packages that include role assignments.
Step-by-Step Activation Process (Detailed)
User navigates to 'My Roles' in the PIM portal.
They select the eligible role and click 'Activate'.
They provide a reason and optionally a ticket number.
If MFA is required, they are prompted to authenticate.
If approval is required, the request is sent to approvers. The user sees a pending status.
Approver receives an email with a link to approve/deny. They can also approve via the portal.
Once approved, the user's role is activated for the configured duration.
The user can now perform privileged actions.
After the duration expires, the role is deactivated automatically.
Audit and Monitoring
All PIM activities are recorded in: - Azure AD Audit Logs: Under 'Identity Governance' -> 'Privileged Identity Management' -> 'Audit history'. - Azure Monitor: Can stream PIM logs to Log Analytics for advanced queries. - Microsoft 365 Defender: Integrates with PIM for security alerts.
Best Practices
Assign roles as eligible, not active.
Require MFA on activation for all privileged roles.
Set activation duration to the minimum necessary (e.g., 2-4 hours).
Enable approval workflows for highly privileged roles like Global Administrator.
Regularly review PIM audit logs for unusual activation patterns.
Use Privileged Access Groups to manage access to multiple roles at once.
Common Exam Traps
Trap 1: Confusing 'eligible' with 'active'. Eligible means the user can activate; active means they have the role permanently.
Trap 2: Thinking PIM only works for Azure AD roles. It also supports Azure resource roles and can be extended to other resources via APIs.
Trap 3: Believing that approval is mandatory. It is optional and must be enabled per role.
Trap 4: Assuming activation duration can be set to any value. For Azure AD roles, max is 24 hours; default is 8 hours.
Trap 5: Forgetting that users must register for MFA before they can activate roles that require MFA.
Configure PIM for Azure AD Roles
Navigate to Microsoft Entra admin center > Identity Governance > Privileged Identity Management > Azure AD roles. Select a role (e.g., Global Administrator) and under 'Settings', configure activation maximum duration (default 8 hours), require MFA, require approval, and require ticket info. These settings apply to all eligible assignments for that role. The changes take effect immediately for new activation requests.
Assign an Eligible Role to a User
In PIM > Azure AD roles > Assignments > Add assignments. Select the role, choose a user or group, set assignment type to 'Eligible', and specify start/end time (optional, for permanent eligibility leave blank). The user will appear in the eligible assignments list. They can now activate the role when needed.
User Activates the Role
The user signs in to the Azure portal or Microsoft Entra admin center, navigates to PIM > My Roles > Azure AD roles, finds the eligible role, and clicks 'Activate'. They must provide a reason; if ticket info is required, they enter a ticket number. If MFA is required, they authenticate. If approval is required, the request is sent to approvers.
Approver Reviews and Approves
Approvers receive an email notification. They click the link to go to PIM > Approve requests. They can review the user's justification and the role requested. They click 'Approve' or 'Deny'. If they do not act within the approval timeout (default 24 hours), the request expires. Approvers can also add a justification for their decision.
Role Activation and Deactivation
Once approved, the user's role becomes active for the configured duration. The user can now perform privileged operations. When the duration expires, PIM automatically deactivates the role. The user can also manually deactivate early by going to My Roles and clicking 'Deactivate'. All events are logged in audit history.
Enterprise Scenario 1: Global Administrator Access for Incident Response
A large financial institution with 50,000 employees uses PIM to manage Global Administrator access. Only five senior engineers are eligible for the Global Admin role. When a critical security incident occurs, an engineer activates the role via PIM, providing a ticket number and reason. The activation requires approval from a second engineer and MFA. The role is active for 4 hours. This ensures that Global Admin privileges are never standing, reducing the risk of credential theft. In production, they configured the activation duration to 2 hours for routine tasks and 8 hours for major incidents. The approval timeout is set to 1 hour to ensure quick response. They also integrated PIM logs with Azure Sentinel for real-time alerting on unusual activation patterns.
Enterprise Scenario 2: Azure Resource Owner Just-in-Time Access
A global e-commerce company manages hundreds of Azure subscriptions. Developers need occasional Owner access to troubleshoot production issues. Using PIM for Azure resources, they assign developers as eligible Owners on specific resource groups. Activation requires MFA and approval from a DevOps lead. The activation duration is set to 1 hour. This prevents developers from having permanent Owner rights, which could lead to accidental misconfigurations. In production, they noticed that developers often forgot to deactivate, so they set the duration to the minimum required. They also used Privileged Access Groups to assign multiple roles at once. Performance considerations: PIM activation is near-instantaneous once approved, but the Azure RBAC propagation can take up to 5 minutes in large environments.
Common Misconfigurations
Setting activation duration too long (e.g., 24 hours) defeats the purpose of JIT.
Not requiring MFA on activation for Global Admin roles.
Assigning roles as 'Active' instead of 'Eligible'.
Not reviewing audit logs regularly, missing unauthorized activation attempts.
Forgetting to configure approval for high-risk roles, allowing self-activation without oversight.
What MS-102 Tests on PIM
MS-102 objective 2.3 focuses on 'Manage privileged access with Privileged Identity Management'. Specific sub-objectives include:
Configure PIM settings for Azure AD roles and Azure resources.
Manage role assignments (eligible vs active).
Configure approval workflows and activation policies.
Monitor PIM usage via audit logs.
Implement Privileged Access Groups.
Common Wrong Answers and Why Candidates Choose Them
'PIM replaces Azure AD roles completely.' – Wrong. PIM manages access to Azure AD roles; it does not replace them.
'Activation duration can be set to 48 hours for Azure AD roles.' – Wrong. Maximum is 24 hours; default is 8.
'Approval is required by default for all roles.' – Wrong. Approval is optional and must be enabled per role.
'PIM only works for Azure AD roles, not Azure resources.' – Wrong. PIM supports both.
'Eligible assignments grant immediate access.' – Wrong. Eligible means the user must activate to gain access.
Specific Numbers, Values, and Terms That Appear on the Exam
Default activation duration: 8 hours.
Maximum activation duration: 24 hours (for both Azure AD and Azure resource roles).
Approval timeout: 24 hours (configurable).
MFA requirement: Enabled by default for Azure AD roles.
Eligible vs Active: Know the difference.
Just-in-time (JIT) access: The core concept.
Privileged Access Groups: Used to manage multiple role assignments.
Edge Cases and Exceptions
If a user has multiple eligible assignments to the same role, they can only activate one at a time.
PIM for Azure resources requires the user to have at least Reader role on the resource to see it in PIM.
Group-based assignments: If a user is a member of a group that is eligible for a role, they must activate individually; group activation is not supported.
External guest users can be assigned eligible roles, but they must have an Azure AD account in the tenant.
How to Eliminate Wrong Answers
If an answer says 'permanent' or 'standing' in a positive context, it's likely wrong because PIM is about JIT.
If an answer suggests that PIM works only for Azure AD or only for Azure resources, it's wrong because it supports both.
If an answer gives a duration outside 1-24 hours for Azure AD roles, it's wrong.
If an answer says approval is mandatory, it's wrong unless specifically stated in the question.
PIM provides just-in-time privileged access to Azure AD roles and Azure resources.
Default activation duration for Azure AD roles is 8 hours; maximum is 24 hours.
Eligible assignments require activation; active assignments are permanent.
MFA on activation is enabled by default for Azure AD roles.
Approval workflows are optional and must be configured per role.
All PIM activations are logged in Azure AD audit logs.
PIM supports both built-in and custom Azure AD roles.
Privileged Access Groups allow managing multiple role assignments via groups.
Users must register for MFA before they can activate roles that require MFA.
PIM is part of Microsoft Entra Identity Governance.
These come up on the exam all the time. Here's how to tell them apart.
Eligible Assignment (PIM)
User has no role permissions until activation.
Requires user to activate via PIM portal.
Supports just-in-time access with time limit.
Reduces risk of standing privileges.
Can require approval and MFA on activation.
Active Assignment (PIM)
User has role permissions permanently.
No activation needed; access is always on.
No time limit; access is continuous.
Increases risk of credential theft abuse.
Cannot enforce approval or MFA at activation time.
Mistake
PIM eliminates the need for Azure AD roles.
Correct
PIM is an overlay that manages access to Azure AD roles; the roles themselves still exist and are required for authorization.
Mistake
Activation duration can be set to any value up to 48 hours.
Correct
Maximum activation duration for Azure AD roles is 24 hours; default is 8 hours.
Mistake
PIM requires approval for all role activations by default.
Correct
Approval is optional and must be explicitly enabled in the role settings. By default, no approval is required.
Mistake
Eligible assignment means the user has the role permanently but must activate to use it.
Correct
Eligible assignment means the user does not have the role at all until they activate it. They have zero permissions until activation.
Mistake
PIM only works for Azure AD roles, not for Azure resource roles.
Correct
PIM supports both Azure AD roles and Azure resource roles (subscriptions, resource groups, etc.).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An eligible assignment means the user does not have the role's permissions until they activate it via PIM. An active assignment grants the role permissions permanently without requiring activation. For security, privileged roles should use eligible assignments to enforce just-in-time access.
Yes, PIM supports Azure resource roles in addition to Azure AD roles. You can manage just-in-time access to Azure subscriptions, resource groups, and individual resources by assigning users as eligible for roles like Owner, Contributor, or custom roles.
No, approval is optional. You must explicitly enable the 'Require approval' setting in the role's PIM settings. By default, users can activate eligible roles without approval. Approval is recommended for highly privileged roles like Global Administrator.
The role is automatically deactivated, and the user loses the associated permissions. The activation cannot be extended automatically; the user must submit a new activation request if they need continued access. All events are logged.
Yes. Privileged Access Groups (PAG) allow you to grant a group eligibility for multiple roles. When a user activates the group, they get all the roles assigned to that group for the activation duration. This simplifies managing access for complex scenarios.
You can view PIM audit logs in the Azure portal under Microsoft Entra admin center > Identity Governance > Privileged Identity Management > Audit history. You can also stream these logs to Azure Monitor or integrate with Microsoft Sentinel for advanced security monitoring.
The maximum activation duration is 24 hours. The default is 8 hours. You can configure it per role between 1 and 24 hours. For Azure resource roles, the maximum is also 24 hours.
You've just covered Privileged Identity Management (PIM) for Admins — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?