Lab 07: Privileged Identity Management (PIM)
Difficulty: Advanced
Duration: 60-90 minutes
License Required: Entra ID P2 (or Entra ID Governance)
Objectives
By the end of this lab, you will be able to:
- Understand the difference between eligible and active role assignments
- Configure PIM settings for Entra ID roles
- Configure PIM for Azure RBAC roles
- Activate eligible roles as a user
- Approve/deny PIM activation requests
- Set up access reviews for privileged roles
- Configure PIM alerts and notifications
Prerequisites
- [ ] Azure subscription
- [ ] Entra ID P2 license (at least for admins configuring/using PIM)
- [ ] Privileged Role Administrator or Global Administrator role
- [ ] At least 2 test user accounts
- [ ] A test resource group to assign Azure RBAC roles
Background: Why PIM?
The Problem:
- Administrators have elevated permissions 24/7/365
- If account is compromised, attacker has full access immediately
- Permissions accumulate over time (permission creep)
- No audit trail of WHY someone needed elevated access
The Solution - Just-In-Time (JIT) Access:
- Users are eligible for roles but don't have them by default
- Must activate the role when needed
- Activation can require: MFA, justification, approval, time limits
- Access automatically expires
- Full audit trail of all activations
Scenario
Contoso Security Team has identified that too many users have standing Global Administrator and Owner roles. You've been tasked with:
- Converting standing assignments to eligible (JIT) assignments
- Requiring approval for highly privileged role activations
- Limiting activation duration to reduce risk window
- Setting up quarterly access reviews
Lab Tasks
Task 1: Explore PIM Dashboard
Familiarize yourself with the PIM interface and current role assignments.
Requirements:
- Navigate to PIM in the Entra admin center
- Review the "My roles" section
- Identify how many active vs. eligible assignments exist for Entra ID roles
- Identify any roles with "No expiration" assignments
Verification:
- [ ] Can access PIM dashboard
- [ ] Understand the difference between "My roles" and "Manage" sections
- [ ] Identified at least one role to convert to eligible
Task 2: Configure PIM Settings for Global Administrator Role
Set strict requirements for the most privileged Entra ID role.
Requirements:
- Configure Global Administrator role settings:
- Maximum activation duration: 4 hours
- Require MFA on activation: Yes
- Require justification: Yes
- Require approval: Yes (designate yourself or another admin as approver)
- Require ticket information: No (optional for this lab)
- Allow permanent eligible assignment: Yes
- Allow permanent active assignment: No
Verification:
- [ ] Settings saved for Global Administrator role
- [ ] Approval workflow is configured
Task 3: Create an Eligible Assignment
Assign a user as ELIGIBLE (not active) for a role.
Requirements:
- Make User1 eligible for the User Administrator role
- Set eligibility period: 6 months (not permanent)
- Do NOT make it an active assignment
Verification:
- [ ] User1 shows as "Eligible" for User Administrator
- [ ] User1 does NOT show as "Active" for User Administrator
- [ ] User1 cannot perform User Administrator tasks without activating
Task 4: Configure PIM Settings for User Administrator Role
Set up activation requirements for the role you just assigned.
Requirements:
- Maximum activation duration: 8 hours
- Require MFA on activation: Yes
- Require justification: Yes
- Require approval: No (self-service activation)
- Allow permanent eligible: Yes
- Allow permanent active: No
- Notification settings: Notify when role is activated
Verification:
- [ ] Settings configured and saved
- [ ] Notification recipients set
Task 5: Activate a Role (User Experience)
Experience the PIM activation process as an end user.
Requirements:
- Sign in as User1 (the eligible user)
- Navigate to PIM → My roles
- Find User Administrator role
- Click "Activate"
- Complete MFA if prompted
- Provide a justification (e.g., "Need to create test users for project Alpha")
- Select activation duration (e.g., 2 hours)
- Complete activation
Verification:
- [ ] Activation request submitted
- [ ] Role shows as "Active" after approval/activation
- [ ] User can now perform User Administrator tasks
- [ ] Activation has an expiration time
Task 6: Configure PIM for Azure RBAC Roles
Set up PIM for Azure resource roles (not just Entra ID roles).
Requirements:
- Navigate to PIM → Azure resources
- Select your subscription or a test resource group
- Make User2 eligible for Contributor role on a resource group
- Configure role settings:
- Maximum activation duration: 8 hours
- Require MFA: Yes
- Require justification: Yes
Verification:
- [ ] User2 is eligible for Contributor on the resource group
- [ ] User2 cannot modify resources without activating the role
- [ ] Settings are configured for the role
Task 7: Approve/Deny PIM Requests
Practice the approval workflow.
Requirements:
- As an approver, navigate to PIM → Approve requests
- Review any pending requests
- View the justification provided
- Approve OR deny the request with a reason
Alternative if no pending requests:
- Configure a role to require approval
- Have another user (or yourself) request activation
- Process the approval request
Verification:
- [ ] Can view pending approval requests
- [ ] Can approve with comments
- [ ] Can deny with reason
- [ ] Requester is notified of decision
Task 8: Create an Access Review for PIM Roles
Set up recurring review of privileged role assignments.
Requirements:
- Create an access review for the User Administrator role
- Configuration:
- Review name: "Quarterly User Admin Review"
- Frequency: Quarterly
- Duration: 14 days
- Reviewers: Role members review their own access (self-review)
- On non-response: Remove access
- Auto-apply results: Yes
Verification:
- [ ] Access review created
- [ ] Review is set to recur quarterly
- [ ] Auto-removal is configured for non-responses
Task 9: Review PIM Audit Logs
Monitor all PIM activity for compliance.
Requirements:
- Navigate to PIM audit history
- Find entries for:
- Role activations
- Role assignments
- Setting changes
- Approval actions
Verification:
- [ ] Can view activation history
- [ ] Can see who activated what role and when
- [ ] Can see justifications provided
Task 10: Configure PIM Alerts
Set up proactive monitoring.
Requirements:
- Navigate to PIM → Alerts (under Entra ID roles)
- Review built-in alerts:
- Roles are being assigned outside of PIM
- Too many Global Administrators
- Potential stale accounts
- Ensure alerts are enabled
Verification:
- [ ] Understand what each alert monitors
- [ ] Alerts are enabled
- [ ] Know where alert notifications go
Challenge Tasks (Optional)
Challenge 1: Authentication Context Integration
Create a Conditional Access authentication context that requires passwordless authentication, then link it to Global Administrator activation.
Hint:
- Create authentication context in CA
- Create CA policy targeting the context
- Link context to PIM role settings
Challenge 2: PIM for Groups
Configure PIM for a privileged group membership instead of a role directly.
Scenario: You have a security group that grants access to sensitive SharePoint sites. Use PIM to require just-in-time membership.
Challenge 3: Automation with Graph API
Write a PowerShell script that:
- Lists all active PIM role assignments
- Identifies assignments that have been active for more than 4 hours
- Exports results to CSV for security review
Key Concepts Summary
| Concept | Description |
|---|---|
| Eligible Assignment | User CAN activate the role but doesn't have it by default |
| Active Assignment | User has the role NOW (standing permission) |
| Activation | Process of claiming an eligible role for a period |
| Approval Workflow | Requires another person to approve activation |
| Just-In-Time (JIT) | Having permissions only when needed |
| Time-Bound | Permissions automatically expire |
| Access Review | Periodic validation that users still need access |
PIM Role Types
| Scope | Examples | Where to Configure |
|---|---|---|
| Entra ID Roles | Global Admin, User Admin, Security Admin | PIM → Entra ID roles |
| Azure RBAC Roles | Owner, Contributor, Reader on subscriptions/RGs | PIM → Azure resources |
| Groups | Membership in privileged security groups | PIM → Groups |
Common Issues and Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| "You are not eligible" | User not assigned as eligible | Add eligible assignment |
| Can't see Azure resources | No permissions discovered | Click "Discover resources" |
| Activation fails | MFA not completed | Complete MFA first |
| Approval request not showing | Not designated as approver | Check role settings |
| Can't modify settings | Insufficient permissions | Need Privileged Role Admin |
Clean Up
After completing the lab:
- Remove test eligible assignments
- Consider keeping PIM configured for production (it's a security best practice!)
- Remove test access reviews if not needed