This chapter covers Privileged Access Management (PAM) in Microsoft 365, a critical security control for protecting high-privilege roles like Global Administrator. For the MS-102 exam, this topic appears in Domain 3 (Security Threats) under Objective 3.4, typically representing 5–8% of questions. You will learn how PAM works, its components (Privileged Access Groups, approval workflows, time-bound activation), and how to configure it using Microsoft Entra ID Governance. Mastering PAM is essential for reducing standing privileges and meeting compliance requirements.
Jump to a section
Imagine a medieval castle with a single outer gate and a separate inner keep that holds the crown jewels. Normally, the outer gate is guarded by a sentry who checks all visitors against a list. But the inner keep has its own guards who only allow entry if the sentry personally escorts the visitor—and even then, the keep guard checks the sentry’s credentials every time. If the sentry’s badge expires, they must re-authenticate before the keep guard opens the door. This is like Privileged Access Management: the outer gate is regular authentication, the inner keep is the privileged role (e.g., Global Admin). The keep guard is the PAM policy that requires just-in-time elevation, approval workflow, and time-bound access. The sentry’s badge is the user’s session; if they need to perform a privileged action, they must request elevation (knock on the keep door), get approval (the keep guard checks the list), and then enter only for a limited time (the timer resets daily). If the sentry tries to stay inside after the timer, the keep guard escorts them out. This mirrors how PAM in M365 uses Privileged Access Groups, approval policies, and eligibility timeouts to enforce ephemeral, auditable access.
What is Privileged Access Management (PAM) and Why It Exists
Privileged Access Management (PAM) in Microsoft 365 is a set of features within Microsoft Entra ID (formerly Azure AD) that provides just-in-time (JIT) privileged access, time-bound activation, and approval workflows for administrative roles. The primary goal is to eliminate standing privileged access—where users permanently hold high-privilege roles like Global Administrator—and replace it with ephemeral, auditable access that users must request and justify.
PAM addresses the principle of least privilege and reduces the attack surface from compromised privileged accounts. In Microsoft 365, PAM is implemented through Privileged Identity Management (PIM) and Privileged Access Groups (PAGs). PIM allows activation of Azure AD roles and Azure resource roles on demand, while PAGs extend JIT access to Microsoft 365 workloads like Exchange Online, SharePoint, and Security & Compliance Center. The MS-102 exam emphasizes PIM for Azure AD roles and the use of Privileged Access Groups for workload-specific elevation.
How PAM Works Internally
PAM relies on a multi-step activation process: 1. Eligibility Assignment: An administrator assigns a user as eligible for a privileged role (e.g., Global Administrator) via PIM. The user does not have active permissions until they activate. 2. Activation Request: The user initiates activation through the Microsoft Entra admin center, Microsoft 365 admin center, or via PowerShell/Graph API. They must provide a reason and duration (default max 8 hours, configurable). 3. Approval Workflow: If the role requires approval (configurable per role), the request goes to designated approvers. Approvers receive email notifications and can approve/deny via the admin center or email. 4. Time-Bound Activation: Once approved, the user’s role is activated for the requested duration. The activation is tied to the user’s session; if the session ends, the activation may be extended or must be re-requested. 5. Audit Logging: Every activation, approval, and usage is logged in the Azure AD audit logs and Microsoft 365 unified audit log.
Key Components, Values, Defaults, and Timers
Privileged Identity Management (PIM): The core service for managing Azure AD roles and Azure resource roles. Default maximum activation duration for Azure AD roles is 8 hours. This can be changed per role via PIM settings.
Privileged Access Groups (PAGs): A feature that allows assigning users as eligible members or owners of a group, which then grants privileged access to connected applications like Exchange admin center, SharePoint admin center, or Security & Compliance. The group must be marked as a Privileged Access Group (formerly Privileged Access Management in Exchange).
Approval Required: By default, no approval is required for activating Azure AD roles in PIM. Administrators must configure approval per role. For PAGs, approval can be enabled via PIM settings.
Justification: Users must provide a reason for activation. This is mandatory and logged.
Expiration: After activation duration expires, the role is automatically deactivated. Users can also deactivate manually.
MFA Requirement: Microsoft recommends requiring Azure AD Multi-Factor Authentication (MFA) at activation. This is configured in PIM role settings.
Notification: Approvers receive email notifications. Users receive confirmation upon activation.
Configuration and Verification Commands
To configure PIM for Azure AD roles:
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "PrivilegedAccess.ReadWrite.AzureAD", "RoleManagement.ReadWrite.Directory"
# Get Azure AD role definitions
Get-MgRoleManagementDirectoryRoleDefinition | Select Id, DisplayName
# Assign user as eligible for Global Administrator
$roleId = (Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'Global Administrator'").Id
$userId = (Get-MgUser -Filter "UserPrincipalName eq 'user@domain.com'").Id
New-MgRoleManagementDirectoryRoleEligibilityScheduleRequest -Action "AdminAssign" -PrincipalId $userId -RoleDefinitionId $roleId -DirectoryScopeId "/" -ScheduleInfo @{ StartDateTime = (Get-Date).ToUniversalTime(); Expiration = @{ Type = "NoExpiration" } }To configure PIM settings for a role (e.g., set max activation duration to 4 hours):
$settings = Get-MgRoleManagementDirectoryRoleSetting -UnifiedRoleManagementPolicyId "RoleManagementPolicy_<roleId>"
$settings.Rules | Where-Object {$_.Id -eq "Expiration_EndUser_Activation"} | Set-MgRoleManagementDirectoryRoleSetting -AdditionalProperties @{ "setting" = @{ "value" = "PT4H" } }To activate a role via PowerShell:
$activation = New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest -Action "SelfActivate" -PrincipalId $userId -RoleDefinitionId $roleId -DirectoryScopeId "/" -Justification "Need for incident response" -ScheduleInfo @{ StartDateTime = (Get-Date).ToUniversalTime(); Expiration = @{ Type = "AfterDuration"; Duration = "PT2H" } }For Privileged Access Groups:
# Create a group and mark as Privileged Access Group
New-MgGroup -DisplayName "Exchange Admins" -MailEnabled:$false -SecurityEnabled -MailNickname "ExchangeAdmins" -GroupTypes @()
$groupId = (Get-MgGroup -Filter "DisplayName eq 'Exchange Admins'").Id
# Assign user as eligible member
New-MgGroupMember -GroupId $groupId -DirectoryObjectId $userId
# Enable PIM for the group (requires Azure AD Premium P2)
# This is done via the Microsoft Entra admin center under Identity Governance > Privileged Access GroupsInteraction with Related Technologies
PAM integrates with: - Microsoft Entra ID Governance: Provides access reviews, entitlement management, and PIM. PIM is a core component. - Conditional Access: Can require MFA or compliant device during activation via PIM settings. - Microsoft 365 Defender: Alerts on suspicious privileged activations. - Azure Monitor: Audit logs can be streamed to Log Analytics for advanced querying. - Microsoft Purview Compliance Portal: PAM activations are logged in the unified audit log for eDiscovery and compliance.
PAM does not replace Azure AD roles like Global Administrator; it restricts their use. For workloads like Exchange Online, PAM uses Privileged Access Groups (PAGs), which are separate from Azure AD roles. The MS-102 exam tests the distinction: PIM for Azure AD roles, PAGs for workload-specific admin centers.
Trap Patterns on the Exam
Confusing PIM with PAGs: PIM is for Azure AD roles; PAGs are for workload admin centers. The exam may describe a scenario requiring Exchange admin access and ask whether to use PIM or PAGs. The correct answer is PAGs.
Default Settings: The default max activation duration is 8 hours, not 24. Many candidates assume 24 hours because that is common in other systems.
Approval Requirement: Approval is NOT enabled by default for Azure AD roles. Candidates often think it is required; it must be manually configured.
Eligible vs Active: A user can be eligible for a role without having active permissions. The exam tests that activation is required to gain permissions.
Licensing: PIM requires Azure AD Premium P2 licenses. Privileged Access Groups also require Azure AD Premium P2. The exam may include licensing questions.
Assign Eligible Role Membership
An administrator with Privileged Role Administrator or Global Administrator assigns a user as eligible for a privileged role via PIM. This is done in the Microsoft Entra admin center under Identity Governance > Privileged Identity Management > Azure AD roles > Assignments. The assignment can be permanent (no expiration) or time-bound (start and end date). At the protocol level, the assignment creates a roleEligibilityScheduleRequest in Microsoft Graph, which is stored in the directory. The user does not receive any active role assignments; they only have the ability to activate. The assignment is visible in the user's My Access portal. Audit logs record the assignment with details like assignor, assignee, role, and scope.
User Activates Role with Justification
When the user needs to perform privileged actions, they navigate to the My Access portal (https://myaccess.microsoft.com) or use PowerShell to activate the role. They must provide a justification (e.g., ticket number) and select an activation duration (up to the configured maximum). The activation request is sent as a roleAssignmentScheduleRequest with action 'SelfActivate'. The system checks if the user is eligible, if the role is within activation hours (if configured), and if MFA is required. If MFA is required, the user must complete MFA challenge. The request is then queued for approval if required. The entire process is logged with a correlation ID.
Approval Workflow (If Enabled)
If the role requires approval, the request is sent to all designated approvers (users or groups). Approvers receive an email with a link to approve or deny. They can also act via the Microsoft Entra admin center. The approval decision is stored as an approval object in Microsoft Graph. If multiple approvers are configured, any one can approve or deny (unless policy requires all). The request expires after a configurable period (default 24 hours). If approved, the activation proceeds; if denied, the user is notified. The approval action is logged with timestamp and identity of the approver.
Time-Bound Activation Granted
Upon approval (or if no approval required), the user's role is activated for the requested duration. The system creates a roleAssignmentSchedule object with start time and end time (start + duration). The user now has active permissions for that role. The activation is session-based: if the user logs out, the activation remains active until the timer expires. The user can deactivate manually. During the activation period, any audit events (e.g., directory reads, configuration changes) are attributed to the user with the activated role. The activation is visible in the user's active assignments list.
Automatic Deactivation and Audit
When the activation duration expires, the system automatically removes the active role assignment. This is done by deleting the roleAssignmentSchedule object. The user loses privileged access. If they need access again, they must re-activate. All steps—eligibility assignment, activation request, approval, activation, deactivation—are logged in Azure AD audit logs (under Directory Management) and the Microsoft 365 unified audit log (under RoleManagement). These logs can be exported, streamed to SIEM, or used for access reviews. The deactivation is also logged. The system ensures no permanent elevation of privilege for time-bound assignments.
Enterprise Scenario 1: Contoso Financial Services
Contoso, a financial services company with 5,000 employees, needed to comply with SOX and PCI DSS requirements that administrative access be temporary and approved. They had 12 Global Administrators with permanent access, which auditors flagged as a high risk. Contoso implemented PIM for all Azure AD roles, requiring approval for Global Administrator activation. They configured a maximum activation duration of 4 hours and required MFA at activation. They also set up access reviews quarterly to remove users who no longer needed eligibility. The result: standing Global Administrators dropped to zero, and all privileged actions were traceable to specific activation requests. The main challenge was user training—administrators initially forgot to activate and complained about friction. Contoso mitigated this by creating a custom activation portal and sending reminders. Performance was not an issue; PIM is a control plane service with negligible latency.
Enterprise Scenario 2: Fabrikam Healthcare
Fabrikam, a healthcare provider, needed to grant temporary admin access to Exchange Online for mailbox migrations without giving permanent Global Admin rights. They used Privileged Access Groups (PAGs) by creating an 'Exchange Migrations' group and assigning it as a Privileged Access Group with PIM. Users were made eligible members. When they needed to perform migration tasks, they activated the group membership via PIM, which gave them the Exchange Administrator role (via the group's assigned Azure AD role). The activation required approval from a senior admin and was limited to 2 hours. This allowed Fabrikam to comply with HIPAA audit requirements. A common misconfiguration was forgetting to assign the group an Azure AD role—the group itself grants no permissions until a role is assigned. Fabrikam learned to verify that the group had the 'Exchange Administrator' role assigned via Azure AD. They also set up alerting for activations outside business hours using Microsoft Sentinel.
Scenario 3: Tailwind Traders – Misconfiguration Pitfall
Tailwind Traders attempted to use PAM but misconfigured the approval workflow by not adding approvers. As a result, activation requests were never approved, and administrators were locked out. They also set the max activation duration to 0 hours, which caused activations to fail. The fix was to configure at least one approver and ensure the duration was between 1 and 8 hours. Tailwind also learned that PAM does not protect against lateral movement if a privileged user's session is hijacked—they needed to combine PAM with Conditional Access policies for device compliance and session risk. This scenario is common: administrators assume PAM alone prevents all privileged attacks, but it only controls elevation, not session security.
MS-102 Exam Focus on PAM
The MS-102 exam tests Privileged Access Management primarily under Objective 3.4: 'Implement and manage privileged access for Microsoft 365 workloads.' The specific skills measured include:
Configure and manage Privileged Identity Management (PIM) for Azure AD roles
Configure and manage Privileged Access Groups (PAGs) for Microsoft 365 workloads
Configure approval workflows and activation settings
Interpret audit logs for privileged activations
Common Wrong Answers and Why Candidates Choose Them
'PIM requires approval by default' – Candidates see 'approval' in study materials and assume it is default. Reality: Approval is optional and must be manually enabled per role. The exam may show a scenario where a user activates a role without approval, which is possible if approval is not configured.
'Privileged Access Groups provide the same permissions as Azure AD roles' – Candidates think PAGs are just another way to assign Azure AD roles. Reality: PAGs grant access to specific workload admin centers (e.g., Exchange admin center) but do not directly grant Azure AD roles unless the group is assigned a role. The exam tests that PAGs are for workload-specific access, not for Azure AD role management.
'Activation duration can be set to unlimited' – Candidates assume you can set activation to 'permanent' like eligibility assignments. Reality: The maximum activation duration is configurable up to 8 hours (default). You cannot set it to unlimited; the role must be activated for a finite time.
'PAM replaces the need for Global Administrator role' – Candidates think PAM makes the role obsolete. Reality: PAM controls how the role is used; the role still exists and must be assigned to users (as eligible). The exam may ask what happens if no user is eligible for Global Admin: no one can activate it, but the role remains.
Specific Numbers and Terms on the Exam
Default maximum activation duration: 8 hours
Default approval expiry: 24 hours (time for approver to respond)
Licensing: Azure AD Premium P2 required for PIM and PAGs
Activation justification: mandatory
MFA at activation: recommended, not required by default
Privileged Access Groups: previously called Privileged Access Management in Exchange Online
Edge Cases and Exceptions
Emergency Access: Break-glass accounts (e.g., .onmicrosoft.com accounts) should be permanently assigned Global Admin, not eligible, to ensure access during outages. The exam may test that PIM should not be used for break-glass accounts.
Service Principals: PIM can also manage roles for service principals, but the exam focuses on user roles.
Multiple Approvers: If multiple approvers are configured, any one can approve unless 'require all' is set. The exam may test the default behavior (any one).
How to Eliminate Wrong Answers
If a question mentions 'Exchange admin center' or 'SharePoint admin center', the answer likely involves Privileged Access Groups, not PIM for Azure AD roles.
If a question asks about 'permanent activation', eliminate any option that says 'set activation duration to unlimited' because it's not possible.
If a question describes a scenario where a user needs access 'immediately' and there is no approval workflow, the answer is that approval must be disabled or the user must be made active (not eligible).
Use the underlying mechanism: PIM is about time-bound activation; PAGs are about workload-specific elevation. Match the scenario to the correct component.
PIM provides just-in-time access to Azure AD roles with time-bound activation (max default 8 hours).
Privileged Access Groups enable JIT access to workload admin centers by activating group membership.
Approval workflows are optional and must be manually enabled per role or group.
All activations are logged in Azure AD audit logs and Microsoft 365 unified audit log.
Break-glass accounts should be permanently assigned Global Admin, not managed by PIM.
PIM requires Azure AD Premium P2 licenses for all users who will activate roles.
Activation justification is mandatory; users must provide a reason.
MFA at activation is recommended but not enforced by default.
These come up on the exam all the time. Here's how to tell them apart.
Privileged Identity Management (PIM)
Manages Azure AD roles (e.g., Global Admin, User Admin)
Activation provides permissions across Azure AD and Microsoft 365 services
Configured via PIM blade in Microsoft Entra admin center
Supports approval workflows, MFA, and justification
Requires Azure AD Premium P2 license
Privileged Access Groups (PAGs)
Manages access to workload-specific admin centers (e.g., Exchange, SharePoint)
Activation grants membership in a group that is assigned an Azure AD role
Configured via Privileged Access Groups in Microsoft Entra admin center
Supports approval workflows, MFA, and justification (via PIM)
Requires Azure AD Premium P2 license
Mistake
PIM requires approval for all role activations by default.
Correct
Approval is optional and must be explicitly enabled per role in PIM settings. By default, users can activate eligible roles without approval.
Mistake
Privileged Access Groups grant the same permissions as assigning an Azure AD role directly.
Correct
PAGs are groups that can be assigned Azure AD roles, but they do not inherently grant any permissions. The group must be assigned a role (e.g., Exchange Administrator) to provide access.
Mistake
Activation duration can be set to permanent (no expiration).
Correct
The maximum activation duration is configurable up to 8 hours. Activations cannot be permanent; they must have a finite duration.
Mistake
PAM eliminates the need for the Global Administrator role.
Correct
PAM controls how the role is used, but the Global Administrator role still exists and must be assigned to at least one user (e.g., break-glass account). PAM makes the role activatable on demand.
Mistake
PIM only works for Azure AD roles, not for Microsoft 365 workloads.
Correct
PIM manages Azure AD roles, which include roles like Exchange Administrator and SharePoint Administrator. However, for workload-specific admin centers, Privileged Access Groups (PAGs) are used, which also rely on PIM for activation.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
PIM (Privileged Identity Management) is used to manage Azure AD roles directly, allowing users to activate roles like Global Administrator on a time-bound basis. Privileged Access Groups (PAGs) are groups that, when activated via PIM, grant membership in a group that is assigned an Azure AD role, providing access to specific workload admin centers (e.g., Exchange admin center). In short, PIM is for Azure AD roles, PAGs are for workload-specific admin access.
The default maximum activation duration is 8 hours. This can be changed per role in the PIM settings, but the maximum allowed value is 8 hours. Administrators can set a lower value (e.g., 4 hours) to enforce stricter time limits.
No, approval is not required by default. Administrators must enable approval per role in the PIM settings. If approval is not configured, users can activate eligible roles without any approval step.
No, PIM alone cannot grant access to the Exchange admin center. You need to use Privileged Access Groups (PAGs). Create a group, assign it the Exchange Administrator role, and then configure the group as a Privileged Access Group. Users can then activate membership via PIM to gain access.
Both PIM and Privileged Access Groups require Azure AD Premium P2 licenses for each user who will be eligible to activate roles or group memberships. Additionally, the organization must have Azure AD Premium P2 for the tenant.
Privileged activations are logged in two places: Azure AD audit logs (under Directory Management > Audit logs) and the Microsoft 365 unified audit log (under RoleManagement). You can search for activity like 'Activate role' or 'Approve role activation'. These logs can be exported or streamed to SIEM tools.
When the activation duration expires, the role is automatically deactivated. The user loses privileged access immediately. Any ongoing operations that require the role may fail. The user must re-activate to continue. This ensures time-bound access.
You've just covered Privileged Access Management in M365 — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?