Lab 07: PIM - Questions & Scenarios

---

Multiple Choice Questions

Question 1

A user is marked as "Eligible" for the User Administrator role in PIM. What does this mean?

A) The user currently has User Administrator permissions
B) The user can activate the role when needed but doesn't have it by default
C) The user will automatically get the role at a scheduled time
D) The user had the role but it expired

Show Answer

Answer: B

"Eligible" means the user CAN activate the role when needed but doesn't have any User Administrator permissions by default. They must go through the activation process (which may require MFA, justification, and/or approval) to temporarily gain the role.

---

Question 2

You want to ensure that Global Administrator activations require approval from a security manager. Where do you configure this?

A) Conditional Access policies
B) PIM role settings for Global Administrator
C) Authentication methods policy
D) Entra ID roles and administrators

Show Answer

Answer: B

PIM role settings (per role) is where you configure activation requirements including approval, MFA, justification, maximum duration, etc. Navigate to PIM → Entra ID roles → Settings → Global Administrator → Edit.

---

Question 3

What is the MAXIMUM activation duration you can set for a PIM role?

A) 8 hours
B) 12 hours
C) 24 hours
D) 72 hours

Show Answer

Answer: C

The maximum activation duration for PIM roles is 24 hours. After this time, the role automatically deactivates and the user must activate again if still needed. Most organizations set much shorter durations (4-8 hours) for highly privileged roles.

---

Question 4

A PIM activation request is pending approval, but the designated approver is on vacation. What happens?

A) The request is automatically approved after 24 hours
B) The request stays pending until the approver returns
C) The request is automatically denied after the timeout period
D) Any Global Administrator can approve it

Show Answer

Answer: C

PIM activation requests have a timeout period (configurable). If not approved within this time, the request is automatically denied. Best practice: Configure multiple approvers or fallback approvers to avoid this situation.

---

Question 5

Which license is required to use Privileged Identity Management?

A) Entra ID Free
B) Entra ID P1
C) Entra ID P2
D) Microsoft 365 E3

Show Answer

Answer: C

PIM requires Entra ID P2 license. P1 does not include PIM. Users who will be eligible for or activate roles through PIM need P2 licenses. Administrators configuring PIM also need P2.

---

Question 6

You configure PIM for the Contributor role on a resource group. Where do you do this?

A) PIM → Entra ID roles
B) PIM → Azure resources
C) PIM → Groups
D) Azure RBAC blade in the resource group

Show Answer

Answer: B

Azure RBAC roles (Owner, Contributor, Reader, custom roles on subscriptions/resource groups) are configured under PIM → Azure resources. Entra ID roles (Global Admin, User Admin, etc.) are under PIM → Entra ID roles.

---

Question 7

An admin creates an "Active" assignment for User Administrator that expires in 30 days. What does this mean?

A) User must activate the role daily
B) User has the role RIGHT NOW for 30 days without needing to activate
C) User is eligible to activate for the next 30 days
D) User must request approval every 30 days

Show Answer

Answer: B

An "Active" assignment means the user has the role immediately and continuously until the expiration date. They do NOT need to activate. This is less secure than "Eligible" but sometimes necessary for break-glass accounts or specific service accounts.

---

Question 8

Which of the following can PIM manage? (Select all that apply)

A) Entra ID directory roles
B) Azure RBAC roles on subscriptions
C) Security group memberships
D) Application permissions
E) SharePoint site permissions

Show Answer

Answer: A, B, C

PIM can manage:

• ✅ Entra ID roles (Global Admin, User Admin, etc.)
• ✅ Azure RBAC roles (Owner, Contributor on subscriptions/RGs)
• ✅ Groups (membership in role-assignable groups)
• ❌ Application permissions (use Conditional Access instead)
• ❌ SharePoint permissions (use SharePoint admin or access packages)

---

Question 9

What happens when a user's PIM role activation expires?

A) They receive a warning 15 minutes before expiration
B) They are automatically signed out of all sessions
C) The role is automatically removed; they lose permissions
D) The role converts to an eligible assignment

Show Answer

Answer: C

When activation expires, the role is automatically removed. The user loses the permissions associated with that role. They can activate again if they're still eligible and need the access. They are NOT automatically signed out, but new authorization attempts will be denied.

---

Question 10

You want to review who has standing (permanent) Global Administrator access quarterly. What PIM feature should you use?

A) PIM Alerts
B) PIM Access Reviews
C) PIM Audit Logs
D) Conditional Access

Show Answer

Answer: B

Access Reviews allow you to periodically review and validate role assignments. You can configure recurring reviews (quarterly, annually) and automatically remove access if reviewers don't respond or deny access. PIM Alerts are for real-time issues, not periodic reviews.

---

Scenario Questions

Scenario 1: PIM Implementation

Situation: Your organization has 20 Global Administrators, many with permanent assignments. The security team wants to reduce risk by implementing Just-In-Time access.

Requirements:

• No standing Global Admin access (except 2 break-glass accounts)
• Activations require MFA and approval
• Maximum 4-hour activation periods
• Quarterly review of eligible assignments

Questions:

1. What's your implementation approach?
2. How do you handle the break-glass accounts?
3. What monitoring should you set up?

Show Answer

1. Implementation Approach:

1. Audit current Global Admin assignments (PIM → Entra ID roles → Assignments)
2. Create PIM role settings:
   • Maximum duration: 4 hours
   • Require MFA: Yes
   • Require approval: Yes (designate approvers)
   • Require justification: Yes
3. Convert existing assignments:
   • Remove active assignments for regular admins
   • Create eligible assignments (with appropriate expiration)
4. Communicate to admins: Training on activation process
5. Create access review: Quarterly, targeting Global Admin eligible assignments

2. Break-Glass Accounts:

• Keep 2 accounts with ACTIVE (standing) Global Admin
• These should be:
  • Cloud-only (not synced)
  • Not used for daily work
  • Stored securely (passwords in safe)
  • Monitored with alerts on any use
  • Excluded from Conditional Access (or use specific CA policy)
• Set to "permanent active" but monitor closely

3. Monitoring:

• Enable PIM alerts:
  • "Roles assigned outside PIM"
  • "Too many Global Administrators"
  • "Administrators aren't using privileged roles"
• Create Azure Monitor alerts for break-glass account sign-ins
• Review PIM audit logs regularly
• Set up quarterly access reviews

---

Scenario 2: Activation Troubleshooting

Situation: User Sarah tries to activate her eligible User Administrator role but receives an error: "Activation request failed."

Given information:

• Sarah is eligible for User Administrator
• PIM settings require MFA and justification
• Sarah completed MFA and provided justification

Questions:

1. What are possible causes for this failure?
2. How would you troubleshoot?
3. What logs would you check?

Show Answer

1. Possible Causes:

• Approval is required but Sarah didn't wait for it
• Sarah's eligible assignment has expired
• Conditional Access is blocking the activation
• Sarah doesn't have P2 license
• Maximum concurrent activations reached
• Role settings changed after eligibility was granted
• Temporary service issue

2. Troubleshooting Steps:

1. Check if role requires approval (PIM → Settings → User Administrator)
2. Check Sarah's eligible assignment dates (may have expired)
3. Check Conditional Access sign-in logs for blocks
4. Verify Sarah has Entra ID P2 license assigned
5. Check PIM audit logs for the specific error
6. Try activation in InPrivate browser (cache issues)
7. Check Azure service health for PIM issues

3. Logs to Check:

• PIM Audit Log: PIM → Entra ID roles → Resource audit
  • Look for Sarah's activation attempt
  • Check Result and ResultReason
• Sign-in Logs: Entra → Monitoring → Sign-in logs
  • Look for authentication issues
  • Check CA policy enforcement
• Entra Audit Log: Activity = "Add member to role request denied (PIM activation)"
  • Shows detailed failure reason

---

Scenario 3: Azure Resource PIM

Situation: Your DevOps team needs Contributor access to production resource groups, but you don't want standing permissions. The team has 10 members who need access at different times.

Requirements:

• Just-in-time Contributor access
• 8-hour maximum activation
• No approval required (self-service)
• Must provide justification with ticket number
• Notify security team on activation

Questions:

1. How would you configure this?
2. What's the user experience?
3. How would you handle emergency situations?

Show Answer

1. Configuration:

1. Navigate to PIM → Azure resources → Discover resources
2. Select the production subscription/resource group
3. Click Settings → Contributor → Edit:
   • Maximum activation duration: 8 hours
   • Require MFA: Yes
   • Require justification: Yes
   • Require ticket information: Yes
   • Require approval: No
4. Configure notifications:
   • Add security team email for "Role is activated"
5. Create eligible assignments:
   • Add all 10 DevOps team members as Eligible
   • Set eligibility period (e.g., 1 year)

2. User Experience:

1. DevOps user goes to PIM → My roles → Azure resources
2. Finds Contributor role on production RG
3. Clicks Activate
4. Completes MFA
5. Enters ticket number and justification
6. Selects duration (up to 8 hours)
7. Clicks Activate
8. Role is immediately active (no approval wait)
9. Can now modify resources in production RG
10. After 8 hours, access automatically removed

3. Emergency Situations: Option A: Break-glass group

• Create security group with standing Contributor
• Add 1-2 senior DevOps leads
• Use only for true emergencies

Option B: Shorter activation with quick re-activation

• User activates for needed time
• Can immediately activate again if needed longer
• Full audit trail maintained

Option C: Emergency access package

• Create access package with Contributor role
• Allow self-service with justification
• Faster than regular PIM for emergencies

---

Scenario 4: PIM vs Direct Assignment

Situation: A consultant asks why they can't just use regular role assignments with expiration dates instead of PIM. They argue it achieves the same "time-limited access" goal.

Question: What are the key differences and why is PIM better for privileged access?

Show Answer

Key Differences:

Aspect	Regular Assignment with Expiration	PIM Eligible Assignment
Access	Active for entire period	Only when activated
MFA	Only at sign-in	Required at each activation
Justification	None required	Required per activation
Approval	Not available	Configurable
Audit	Limited	Full activation audit trail
Duration	Could be months	Hours per activation
Risk Window	Entire assignment period	Only during active use

Why PIM is Better:

1. Reduced Attack Surface: With regular expiring assignment, if the account is compromised on Day 1, attacker has access for the entire assignment period. With PIM, they only have access during the small activation windows.

2. Intent Verification: Regular assignments don't verify WHY the user needs access. PIM requires justification each time, creating accountability.

3. Approval Workflow: For highly sensitive roles, you can require another human to approve, preventing lone-actor attacks.

4. Shorter Risk Windows: Even if PIM-eligible user is compromised, attacker must activate (requiring MFA) and only gets access for hours, not weeks.

5. Audit Trail: PIM shows exactly when and why each person had privileged access. Regular assignments only show "user was assigned on date X."

6. Behavioral Baseline: If a user never activates their eligible role for months, access reviews can remove it. Hard to detect unused access with regular assignments.

---

True/False Questions

Question 1

True or False: A user can have both an "Eligible" and an "Active" assignment for the same role simultaneously.

Show Answer

True

A user can have both. For example, they might have:

• Eligible assignment (for activation when needed)
• Active assignment (for a specific short-term project)

However, this is unusual and often indicates misconfiguration. Typically, you'd have one or the other.

---

Question 2

True or False: PIM can manage access to third-party SaaS applications like Salesforce.

Show Answer

False

PIM manages:

• Entra ID directory roles
• Azure RBAC roles
• Entra group memberships (for role-assignable groups)

It does NOT directly manage SaaS application access. For SaaS apps, use:

• Entitlement Management (access packages)
• Conditional Access
• Application-specific admin roles

---

Question 3

True or False: If a user's PIM activation is approved, they receive the role immediately.

Show Answer

True

Once approved (or if no approval is required), the role is activated immediately. The activation starts at the approval time and runs for the requested duration. There's no additional delay after approval.

---

Question 4

True or False: PIM alerts automatically remediate issues when triggered.

Show Answer

False

PIM alerts notify administrators of potential issues but do NOT automatically fix them. An admin must review the alert and take appropriate action (e.g., remove extra Global Admins, convert active assignments to eligible). Alerts can be dismissed but will re-trigger if the condition persists.

---

Fill in the Blank

Question 1

The two types of PIM assignments are __________ and __________.

Show Answer

Eligible and Active

• Eligible: User can activate but doesn't have the role by default
• Active: User has the role immediately/continuously

---

Question 2

PIM requires __________ license for users who will activate roles.

Show Answer

Entra ID P2 (or Microsoft Entra ID Governance)

---

Question 3

The principle of "just enough, just in time" that PIM implements is also known as __________.

Show Answer

Just-In-Time (JIT) access or Least Privilege

The combination of:

• Just Enough: Minimum permissions needed
• Just In Time: Only when needed (not standing access)

---

Question 4

To link PIM activation to specific Conditional Access requirements, you use a(n) __________.

Show Answer

Authentication Context

You create an authentication context (just a label), create a CA policy targeting that context with your requirements (e.g., require passkey from compliant device), then link the context to PIM role settings. When user activates, they must satisfy the CA policy.