This chapter covers Privileged Identity Management (PIM) in Microsoft Entra ID, a critical feature for managing, controlling, and monitoring access to privileged roles. PIM is a core component of the Identity Access domain (Objective 2.2) on the SC-900 exam, and questions about it appear in approximately 10-15% of exam forms. You will learn what PIM is, how it works, its key settings and defaults, and how it differs from other Identity Governance tools. Mastery of this topic is essential for understanding Microsoft's approach to zero standing access and just-in-time privileged access.
Jump to a section
Imagine a high-security bank vault that normally has no one inside. Employees don't have personal keys to the vault. Instead, when a trusted employee needs to access the vault for a specific task, they request temporary access via a security console. The request triggers an approval workflow: a manager must approve, and the system logs the exact time and reason. Once approved, the employee receives a one-time digital key that works only for a limited window (say, 1 hour). After the task is done, the key expires automatically. The employee cannot access the vault again without a new request. This is exactly how Privileged Identity Management (PIM) works: privileged roles are not permanently assigned; they are activated just-in-time for a specific duration, with approval and auditing. The vault is your Azure AD directory, and the digital key is a time-bound role assignment. No standing privileges means no standing risk.
What is Privileged Identity Management (PIM)?
Privileged Identity Management (PIM) is a service in Microsoft Entra ID (formerly Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include roles in Microsoft Entra ID, Azure resources, and other Microsoft Online Services like Exchange Online, SharePoint Online, and Microsoft 365. PIM reduces the risk of malicious or accidental misuse of privileged access by providing just-in-time (JIT) privileged access, time-bound role assignments, approval workflows, and detailed audit trails.
PIM addresses the fundamental security problem of standing privileges: when users have permanent, always-on access to high-privilege roles (like Global Administrator), any compromise of that user's credentials gives an attacker immediate full control. PIM eliminates standing privileges by requiring users to activate their role assignments on demand, for a limited time, and often with approval.
How PIM Works Internally
PIM operates on top of Microsoft Entra ID's role-based access control (RBAC) model. When you configure PIM for a role, you are not assigning the role directly; instead, you are creating an eligible assignment. An eligible assignment means the user can activate that role when needed, but they do not have the role's permissions until they activate it. Activation is a multi-step process:
Eligible Assignment Creation: An administrator makes a user eligible for a role via the Entra admin center, Microsoft Graph API, or PowerShell. This assignment can be permanent (no expiration) or time-bound (with a start and end date).
Activation Request: The user initiates an activation request from the PIM portal, Microsoft Entra admin center, or via the My Security portal. The request includes a reason for activation and optionally a ticket number.
Approval (if required): If the role requires approval, the request is sent to designated approvers. Approvers can review the request, approve or deny it, and optionally add a comment. The request times out if not approved within a configurable period (default 24 hours).
Activation: Once approved (or if no approval is required), the system creates a temporary active assignment for the user. This active assignment has a start time (immediately) and an end time equal to the activation duration (default 1 hour, configurable up to 8 hours). During this window, the user has full permissions of the role.
Automatic Deactivation: After the activation duration expires, the active assignment is automatically removed. The user reverts to being eligible only. No manual action is needed.
Audit: All actions—assignment creation, activation requests, approvals, denials, and deactivations—are logged in the PIM audit history and Azure AD audit logs.
Key Components, Values, Defaults, and Timers
Eligible Assignment: A role assignment that does not grant active permissions until activated. Can be permanent or time-bound (with start/end dates).
Active Assignment: A role assignment that grants permissions immediately and permanently (or until end date). PIM can also create active assignments for emergency access (break-glass accounts).
Activation Duration: The maximum time a user can keep the role active after activation. Default: 1 hour. Configurable per role from 0.5 to 8 hours (or up to 24 hours for Azure resource roles).
Maximum Activation Duration: For Azure AD roles, maximum 8 hours; for Azure resource roles, maximum 24 hours.
Approval Required: If enabled, activation requests must be approved by one or more designated approvers. Default: disabled for most roles.
Require Approval: Can be configured per role. If enabled, at least one approver must approve.
Approver Timeout: If no approver responds within this time, the request expires. Default: 24 hours.
Require Justification: When enabled, users must provide a reason for activation. Default: enabled.
Require Ticket Information: Optionally, users must provide a support ticket number. Default: disabled.
Require Azure AD Multi-Factor Authentication (MFA): When enabled, users must complete MFA before activating a role. Default: enabled for highly privileged roles (e.g., Global Administrator, Privileged Role Administrator).
Require Conditional Access: PIM can integrate with Conditional Access policies to enforce additional controls like device compliance or location.
Notification: Approvers receive email notifications when a request is pending. Users receive notifications when their request is approved or denied.
Privileged Role Administrator: The role that can manage PIM settings. This role can configure role settings, approve requests, and view audit logs.
Security Administrator: Can view PIM audit logs but cannot manage settings.
Configuration and Verification
PIM is configured per role in the Microsoft Entra admin center under Identity Governance > Privileged Identity Management > Azure AD roles (or Azure resources). For each role, you can set:
Role settings: activation duration, approval requirements, MFA, justification, ticket info.
Assignments: eligible or active, permanent or time-bound.
Example PowerShell commands (using the AzureADPreview module):
# Connect to Azure AD
Connect-AzureAD
# Get PIM settings for a role (by role template ID)
Get-AzureADMSPrivilegedRoleSetting -ProviderId "aadRoles" -Id "<role-template-id>"
# Set activation duration to 2 hours
Set-AzureADMSPrivilegedRoleSetting -ProviderId "aadRoles" -Id "<role-template-id>" -UserMemberSettings @{"activationDuration"="PT2H"}
# Get eligible assignments for a user
Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -Filter "subjectId eq '<user-object-id>' and assignmentState eq 'eligible'"
# Activate a role (for the current user)
Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId "aadRoles" -RoleDefinitionId "<role-template-id>" -SubjectId "<user-object-id>" -Type "UserAdd" -AssignmentState "Active" -Reason "Need for incident response" -Schedule @{"Type"="UserAdd";"StartDateTime"=Get-Date;"EndDateTime"=(Get-Date).AddHours(1)}Interaction with Related Technologies
Azure AD Identity Protection: PIM can require MFA or Conditional Access, which may integrate with Identity Protection risk policies.
Azure AD Access Reviews: PIM assignments (eligible or active) can be reviewed periodically to ensure they are still needed.
Azure AD Privileged Access Groups: PIM can manage eligibility for Azure AD roles that are assigned via groups (since 2021).
Microsoft 365 Defender: PIM audit logs feed into Microsoft 365 Defender for advanced threat detection.
Entra ID Governance: PIM is a core component of Identity Governance, alongside access reviews, entitlement management, and lifecycle workflows.
PIM does NOT replace Azure RBAC for Azure resources; rather, it adds JIT activation on top of existing RBAC assignments. For Azure resource roles, PIM uses the same RBAC model but adds time-bound activation.
Create Eligible Assignment
An administrator assigns a user as eligible for a privileged role (e.g., Global Administrator) via the Entra admin center, Graph API, or PowerShell. This assignment can be permanent (no expiration) or time-bound (e.g., valid for 30 days). The assignment is stored in Azure AD as an eligible assignment, meaning the user does not yet have any permissions from that role. The system records the assignment in audit logs.
User Requests Activation
When the user needs to perform a privileged task, they navigate to the PIM portal (e.g., https://aka.ms/mysecurity) and select 'Activate' for the eligible role. They must provide a justification (e.g., 'Need to reset a user password for support ticket #12345'). If configured, they also provide a ticket number. The system checks if MFA is required; if so, the user must complete MFA before the request is submitted.
Approval Workflow
If the role requires approval, the request enters a pending state. Designated approvers receive an email notification with a link to approve or deny. Approvers can view the justification, ticket info, and the user's history. If no approver responds within the timeout period (default 24 hours), the request expires automatically. The user can cancel the request at any time.
Activation and Time-Bound Access
Once approved (or if no approval is required), the system creates a temporary active assignment. The activation duration starts from the moment of approval. During this period, the user has full permissions of the role. The system logs the activation event, including start time, end time, and reason. The user can deactivate early if desired.
Automatic Deactivation
When the activation duration expires, the system automatically removes the active assignment. The user reverts to eligible status. No manual action is needed. All activation and deactivation events are recorded in the PIM audit history and Azure AD audit logs, providing a complete trail of privileged access.
Enterprise Scenario 1: Global Administrator Access for IT Support
A large enterprise with 50,000 users has a team of 10 IT support engineers who occasionally need Global Administrator privileges to resolve critical incidents (e.g., a global outage affecting all users). Without PIM, these engineers would have permanent Global Admin rights, creating a massive security risk. With PIM, the company makes all 10 engineers eligible for Global Admin, but requires approval from a senior administrator and MFA for activation. The activation duration is set to 4 hours (the maximum allowed for Azure AD roles is 8 hours). In production, this setup has reduced the attack surface: even if an engineer's credentials are compromised, the attacker cannot activate the role without MFA and approval. The audit logs show exactly who activated the role, when, and why. Common misconfiguration: setting the activation duration too long (e.g., 8 hours) or not requiring MFA, which weakens security. Performance is not an issue because PIM is a control plane service with negligible latency.
Scenario 2: Azure Resource Role Access for DevOps
A company uses Azure resources (VMs, storage, databases) and wants to grant developers just-in-time Contributor access to a production resource group. They configure PIM for Azure resources (note: this requires Azure RBAC roles, not just Azure AD roles). Each developer is made eligible for Contributor on the resource group. Activation requires a ticket number and approval from the DevOps lead. The activation duration is set to 2 hours. This ensures that developers can only modify production resources during approved change windows. A common mistake is confusing Azure AD roles with Azure resource roles; PIM for Azure resources is configured under 'Azure resources' in the PIM blade, not under 'Azure AD roles'. Also, the maximum activation duration for Azure resource roles is 24 hours, which is longer than for Azure AD roles.
What Goes Wrong When Misconfigured
No MFA requirement: An attacker who steals a user's password can activate a privileged role without additional verification.
Overly long activation duration: Users leave the role active for extended periods, effectively creating standing privileges.
No approval for high-risk roles: Activation of Global Admin should always require approval, but sometimes admins forget to enable it.
Approver not configured: If no approvers are set, activation requests are stuck in pending forever (unless the setting is changed).
Ignoring audit logs: Without regular review, unauthorized activations go undetected.
Exam Focus for SC-900
SC-900 Objective 2.2 specifically tests your understanding of Privileged Identity Management as a tool for managing privileged access. The exam expects you to know:
What PIM is: A service that provides just-in-time privileged access, time-bound assignments, and approval workflows.
Key concepts: Eligible vs. active assignment, activation duration, approval required, MFA requirement.
Default values: Activation duration default is 1 hour (for Azure AD roles); maximum is 8 hours for Azure AD roles, 24 hours for Azure resource roles.
What PIM is NOT: It is not a tool for managing user passwords or general user permissions; it is specifically for privileged roles.
Common Wrong Answers and Why Candidates Choose Them
"PIM permanently assigns roles to users." – This is wrong because PIM is designed to eliminate permanent assignments. Candidates confuse eligible assignments with permanent active assignments.
"PIM is used to manage all user permissions." – Wrong; PIM only manages privileged roles, not standard user permissions (like 'Sales' group membership).
"PIM requires Azure AD Premium P2 for all users." – Actually, PIM requires Azure AD Premium P2 licenses only for users who are eligible or active in PIM-managed roles. Not all users need P2.
"PIM can enforce MFA during login." – PIM enforces MFA during activation, not during initial login. Conditional Access handles MFA at login.
Specific Numbers and Terms on the Exam
Default activation duration: 1 hour.
Maximum activation duration for Azure AD roles: 8 hours.
Maximum activation duration for Azure resource roles: 24 hours.
Approval timeout: 24 hours.
Roles that can manage PIM: Privileged Role Administrator and Security Administrator (view only).
PIM is part of Microsoft Entra ID Governance.
PIM supports Azure AD roles and Azure resource roles.
Edge Cases and Exam Traps
Permanent active assignments: PIM can create permanent active assignments (e.g., for break-glass accounts), but this is not the primary use case. The exam may ask: "Which type of assignment should you avoid for security?" Answer: Permanent active.
PIM for groups: PIM can manage eligibility for Azure AD roles assigned via groups (since 2021). This is a minor point but could appear.
PIM does not replace Conditional Access: They are complementary. PIM requires MFA during activation; Conditional Access can enforce MFA at login.
How to Eliminate Wrong Answers
If a question asks about just-in-time access, time-bound, or approval workflows, the answer is likely PIM. If it mentions permanent assignment or no approval, eliminate PIM. If it talks about managing all users' permissions, eliminate PIM (it's only for privileged roles).
PIM provides just-in-time privileged access, eliminating standing privileges.
Default activation duration for Azure AD roles is 1 hour; maximum is 8 hours.
Eligible assignments require activation; active assignments grant immediate permanent access.
PIM requires Azure AD Premium P2 licenses for users in PIM-managed roles.
PIM can enforce MFA and approval during activation.
PIM is part of Microsoft Entra ID Governance.
Common exam trap: PIM does not manage all user permissions—only privileged roles.
These come up on the exam all the time. Here's how to tell them apart.
PIM (Privileged Identity Management)
Cloud-native, integrated with Azure AD
Just-in-time activation with time-bound roles
No need for a separate vault or proxy
Audit logs integrated with Azure AD reporting
Supports Azure AD roles and Azure resource roles
PAM (Privileged Access Management – traditional on-premises)
On-premises solution (e.g., Microsoft Identity Manager)
Often uses a password vault and session recording
Requires infrastructure (servers, agents)
Audit logs are separate from cloud
Focuses on on-premises Active Directory and non-Microsoft resources
Mistake
PIM permanently assigns privileged roles to users.
Correct
PIM primarily uses eligible assignments that require activation for temporary access. Permanent active assignments are possible but discouraged and not the default.
Mistake
PIM requires Azure AD Premium P2 licenses for all users in the organization.
Correct
Only users who are eligible or active in PIM-managed roles need a P2 license. Other users do not.
Mistake
PIM enforces multi-factor authentication at every login.
Correct
PIM requires MFA during role activation, not during initial sign-in. MFA at login is handled by Conditional Access.
Mistake
PIM can manage any user's permissions, not just privileged roles.
Correct
PIM is specifically for managing access to privileged roles (e.g., Global Admin, Contributor). It does not manage standard directory roles or group memberships.
Mistake
PIM activation duration can be set to any value up to 24 hours for all roles.
Correct
For Azure AD roles, the maximum is 8 hours. For Azure resource roles, the maximum is 24 hours.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An eligible assignment means the user can activate the role when needed, but does not have the role's permissions until activation. An active assignment grants the role's permissions immediately and permanently (or until an end date). PIM's primary benefit is using eligible assignments to avoid standing privileges.
Default settings: activation duration is 1 hour; MFA is required for highly privileged roles (like Global Admin); approval is not required by default; justification is required; ticket information is optional; approver timeout is 24 hours.
Yes, PIM is a feature of Azure AD Premium P2. Users who are eligible or active in PIM-managed roles must have a P2 license. However, not all users in the tenant need P2—only those who use PIM.
Yes, PIM supports Azure resource roles (e.g., Contributor, Owner) for Azure resources like subscriptions, resource groups, and VMs. This is separate from Azure AD roles.
The maximum activation duration for Azure AD roles is 8 hours. For Azure resource roles, it is 24 hours.
Approvers receive an email with a link to the PIM portal. They can sign in, review the request details (justification, time, user), and approve or deny. Approval can also be done via the Microsoft Entra admin center.
Yes, PIM is Microsoft's cloud-based Privileged Access Management solution. It is sometimes referred to as Azure AD PIM or Microsoft Entra PIM.
You've just covered Privileged Identity Management (PIM) — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?