This chapter covers Privileged Identity Management (PIM) in Microsoft 365, a critical security feature for managing, controlling, and monitoring access to privileged roles. For the MS-900 exam, PIM is tested under objective 3.3 'Describe the identity and access management capabilities of Microsoft Entra ID,' and typically appears in 5-7% of questions. Understanding PIM's just-in-time access, approval workflows, and auditing is essential for demonstrating how organizations can reduce the risk of standing privileged access.
Jump to a section
Privileged Identity Management (PIM) is like a high-security key locker in a corporate building. Normally, employees have their own desk keys (standard access). But when someone needs to enter the server room (a privileged role), they can't just keep the key in their pocket 24/7—that would be too risky if the key was lost or copied. Instead, they request the key from a secure locker. The locker requires manager approval (approval workflow) and only releases the key for a limited time (time-bound activation). Once the task is done, the key must be returned (automatic deactivation). The locker logs every access (audit trail). If someone tries to take a key without approval, the locker alarms (alerts). This mirrors how PIM works: users are not permanently assigned high-privilege roles; they can activate them temporarily when needed, with approval and justification, and the activation expires automatically. The key locker analogy captures the just-in-time access, approval, expiration, and auditing that PIM provides.
What is Privileged Identity Management (PIM)?
Privileged Identity Management (PIM) is a service in Microsoft Entra ID (formerly Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. PIM provides just-in-time (JIT) privileged access to Microsoft Entra roles and Azure resource roles, ensuring that users only have elevated permissions when they actually need them, for a limited duration, and with approval if required.
Why PIM Exists
Historically, organizations assigned privileged roles (like Global Administrator) to users permanently. This created a security risk: if a privileged account was compromised, an attacker could maintain long-term access. PIM addresses this by:
Reducing the number of users with standing privileged access.
Requiring users to activate their role when needed.
Limiting activation to a specific time window.
Optionally requiring approval from another user.
Auditing all activations and assignments.
How PIM Works Internally
PIM operates through the concept of eligible assignments vs. active assignments. An eligible assignment means the user is authorized to activate the role but does not have the permissions until they activate it. An active assignment grants the role permanently (like traditional role assignment).
When a user activates an eligible role: 1. The user navigates to the PIM portal or uses the PIM API. 2. They select the role they want to activate. 3. They specify a duration (within the maximum allowed by the administrator). 4. They provide a justification (reason for activation). 5. If approval is required, a request is sent to approvers. 6. Once approved (or if no approval required), the user's token is updated to include the role's permissions. 7. The activation is logged in the audit logs. 8. After the duration expires, the role is automatically deactivated (the user loses the permissions).
Key Components, Values, Defaults, and Timers
Eligible Assignment: User can activate the role when needed. No time limit on eligibility.
Active Assignment: User has the role permanently. Can be time-bound (start and end date) or permanent.
Activation Duration: Default maximum is 8 hours for Microsoft Entra roles. For Azure resources, default is 1 hour. Administrators can configure these maximums.
Approval Workflow: Can require one or two approvers. Approvers can be users or groups.
Justification: Required during activation.
Ticket Information: Optionally required (e.g., incident ticket number).
MFA: Required during activation by default.
Conditional Access: Can enforce additional policies during activation.
Audit History: All activations, assignments, and changes are recorded in the Microsoft Entra audit logs.
Configuration and Verification Commands
PIM is configured via the Microsoft Entra admin center or PowerShell. Key PowerShell cmdlets:
# Get eligible assignments for a role
Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId "<tenant-id>" -SubjectId "<user-id>" | Where-Object {$_.AssignmentState -eq "Eligible"}
# Activate a role
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId "aadRoles" -ResourceId "<tenant-id>" -RoleDefinitionId "<role-id>" -SubjectId "<user-id>" -Type "UserAdd" -AssignmentState "Active" -Duration "PT1H" -Reason "Emergency fix"
# Approve a pending request
Approve-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId "aadRoles" -ResourceId "<tenant-id>" -RequestId "<request-id>" -Reason "Approved"Interaction with Related Technologies
Microsoft Entra ID Governance: PIM is part of the Identity Governance suite. It integrates with Access Reviews to periodically review privileged role assignments.
Conditional Access: Can enforce MFA, device compliance, or location policies during activation.
Privileged Access Groups (PAG): PIM can manage eligibility for groups that have permissions to resources like Azure resources or SharePoint sites.
Microsoft 365 Defender: Alerts on suspicious activations (e.g., unusual location, off-hours).
API and SDKs: Programmatic activation for automation.
Types of Roles Managed by PIM
Microsoft Entra Roles: Over 100 built-in roles (e.g., Global Administrator, Exchange Administrator, Security Reader).
Azure Resource Roles: Owner, Contributor, Reader, and custom roles for Azure subscriptions, resource groups, and resources.
Privileged Access Groups: Groups that can be assigned to resources; PIM manages membership eligibility.
Security Considerations
PIM reduces standing access but does not eliminate all risks. Best practices include:
Require MFA for activation.
Set short activation durations (e.g., 4 hours or less).
Require approval for high-risk roles like Global Administrator.
Use access reviews to periodically remove unused eligible assignments.
Monitor audit logs for unusual activation patterns.
Licensing
PIM is included in:
Microsoft Entra ID P2
Microsoft 365 E5
Enterprise Mobility + Security E5
Without P2, you cannot use PIM (though you can view settings).
Configure PIM settings
An administrator navigates to the Microsoft Entra admin center > Identity Governance > Privileged Identity Management > Microsoft Entra roles > Settings. For each role, they configure: activation maximum duration (default 8 hours), whether approval is required, approvers (up to 2), whether justification is required, and whether MFA is required. They can also enforce Conditional Access policies. These settings apply to all eligible assignments for that role.
Assign eligible role
Administrator selects a user and makes them eligible for a role. This is done via PIM > Roles > Add assignments. The administrator chooses the role, selects the user, sets assignment type to 'Eligible', and optionally sets a start/end date (permanent if not set). The user does not gain any permissions at this point; they only have the ability to activate the role.
User activates role
The user signs into the Microsoft Entra admin center or uses My Security Info. They go to PIM > My roles > Activate. They select the role, specify duration (within max allowed), provide justification, and optionally a ticket number. If MFA is required, they must authenticate. If approval is required, the request is submitted to approvers.
Approval process
Approvers receive an email notification or see pending requests in the PIM portal. They review the request, justification, and user details. They can approve or deny. If two approvers are configured, both must approve. Once approved, the user's token is updated, and the role becomes active. The entire process is logged.
Audit and deactivation
After the activation duration expires, the role is automatically deactivated. The user's token is refreshed, removing the elevated permissions. All activations, approvals, and deactivations are recorded in the Microsoft Entra audit logs under 'Privileged Identity Management' and 'Directory Management' categories. Administrators can review these logs for compliance.
In a large enterprise, PIM is deployed to manage access to critical roles like Global Administrator. For example, Contoso Ltd. has 5 IT staff who occasionally need to perform tenant-wide changes. Instead of giving them permanent Global Admin access, they are made eligible. When a change is needed, they activate the role for 2 hours with approval from the security team. This reduces the attack surface and ensures accountability.
Another scenario: A healthcare organization uses PIM for Azure resource roles. Data scientists need Contributor access to a specific resource group only during a project. They are made eligible for the role, and activation requires MFA and a ticket number from the project management system. This ensures access is traceable and temporary.
Common misconfigurations: Setting activation duration too long (e.g., 8 hours for all roles) defeats the purpose of JIT. Not requiring approval for highly privileged roles like Global Administrator. Forgetting to review and remove eligible assignments for users who no longer need them. These can lead to standing access if not monitored.
Performance considerations: PIM is a control plane service; activation is near-instantaneous. However, token refresh may take a few minutes. In production, administrators should test activation times and ensure that token lifetime policies (default 1 hour for Azure AD tokens) don't interfere with activation duration.
When misconfigured, PIM can cause lockouts: if an administrator accidentally removes themselves from the Global Administrator role without having another eligible admin, they may lose access. Always maintain at least two break-glass accounts with permanent Global Admin access.
MS-900 objective 3.3 tests your understanding of PIM as part of Microsoft Entra ID governance. Key points:
What PIM does: Just-in-time privileged access, time-bound activation, approval workflows, and auditing.
Eligible vs. Active: Eligible means can activate; active means permanent (or time-bound) assignment.
Default maximum activation duration: 8 hours for Microsoft Entra roles, 1 hour for Azure resources. This number appears verbatim on the exam.
Licensing requirement: Microsoft Entra ID P2 or Microsoft 365 E5.
Common wrong answer: 'PIM provides permanent privileged access.' Actually, PIM reduces permanent access by using eligible assignments.
Another trap: 'PIM is only for Azure resources.' It also manages Microsoft Entra roles and Privileged Access Groups.
Exam loves: The scenario where a user needs temporary elevated privileges, and the correct solution is to make them eligible for the role via PIM.
Edge case: If a user's activation is approved but they don't perform the task before expiration, they must reactivate. The exam may ask about automatic deactivation.
How to eliminate wrong answers: If the question mentions 'permanent' or 'standing access' in a positive light, it's wrong. PIM is about temporary, approved, audited access. Also, PIM is not the same as Privileged Access Workstations (PAW) or Azure AD roles without PIM.
Remember: PIM is a feature of Microsoft Entra ID P2, not free. Exam questions may try to confuse with Azure AD Free or P1. Also, PIM is not the same as Azure AD Identity Protection (which is for risky sign-ins).
PIM provides just-in-time privileged access to Microsoft Entra roles and Azure resources.
Eligible assignments require activation; active assignments are permanent or time-bound.
Default maximum activation duration: 8 hours for Entra roles, 1 hour for Azure resources.
PIM requires Microsoft Entra ID P2 or Microsoft 365 E5 license.
Activation can require MFA, approval, and justification.
All activations are logged for auditing and compliance.
PIM is part of Microsoft Entra ID Governance, not Azure AD Identity Protection.
These come up on the exam all the time. Here's how to tell them apart.
PIM (Privileged Identity Management)
Just-in-time access: roles are activated only when needed.
Time-bound activation with configurable duration (default max 8h).
Requires justification and optional approval.
Audit logs for every activation and approval.
Reduces attack surface by eliminating standing privileges.
Traditional Permanent Role Assignment
Roles are assigned permanently (standing access).
No time limit; user has privileges until removed.
No requirement for justification or approval (unless custom).
Audit logs only show assignment, not activations.
Higher risk if account is compromised; attacker has long-term access.
Mistake
PIM permanently assigns privileged roles to users.
Correct
PIM primarily uses eligible assignments, meaning users must activate the role temporarily. Active (permanent) assignments are possible but not the primary use case. The goal is to reduce standing access.
Mistake
PIM is available in all Microsoft 365 licenses.
Correct
PIM requires Microsoft Entra ID P2 or Microsoft 365 E5. It is not included in Business Basic, Standard, or Premium, nor in Microsoft 365 E3 without the E5 upgrade.
Mistake
PIM only manages Azure resource roles.
Correct
PIM manages Microsoft Entra roles, Azure resource roles, and Privileged Access Groups. It is not limited to Azure resources.
Mistake
Once a role is activated, it stays active until the user deactivates it.
Correct
Roles automatically deactivate after the configured duration (default max 8 hours for Entra roles). Users do not need to manually deactivate, though they can if they finish early.
Mistake
PIM eliminates the need for MFA on privileged accounts.
Correct
PIM actually enforces MFA during activation by default. It adds an extra layer of security rather than removing it.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An eligible assignment means the user is authorized to activate the role but does not have the permissions until they do so. An active assignment grants the role permanently (or for a defined period) without needing activation. The exam tests that eligible assignments reduce standing access; active assignments are similar to traditional role assignments.
PIM requires Microsoft Entra ID P2 or Microsoft 365 E5. It is not available in Azure AD Free or P1, nor in Microsoft 365 Business licenses. This is a common exam point.
Yes, PIM can manage eligibility for Privileged Access Groups (PAG). These groups can be assigned permissions to resources like Azure resources, SharePoint sites, or Microsoft Entra roles. PIM manages membership eligibility similar to roles.
By default, PIM requires MFA during role activation. Administrators can disable this in settings, but it is strongly recommended. The exam may ask about MFA requirement as a security best practice.
The role is automatically deactivated. The user's token is refreshed, removing the elevated permissions. The user must reactivate if they need the role again. This is a key exam scenario.
PIM is for cloud roles in Microsoft Entra ID and Azure resources. For on-premises AD, you would use Microsoft Identity Manager (MIM) or Privileged Access Management (PAM) for AD, not PIM. The exam may test this distinction.
All activations, approvals, and assignments are logged in the Microsoft Entra audit logs under 'Privileged Identity Management' and 'Directory Management' categories. You can view them in the Entra admin center or export using APIs.
You've just covered Privileged Identity Management (PIM) in M365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?