Lab 07: PIM - Portal Solution

Step-by-step portal walkthrough for all lab tasks

---

Task 1: Explore PIM Dashboard

Step 1.1: Access PIM

1. Go to Microsoft Entra admin center → https://entra.microsoft.com
2. Navigate to Identity governance → Privileged Identity Management
   • OR direct link: https://entra.microsoft.com/#view/Microsoft_Azure_PIMCommon/CommonMenuBlade/~/quickStart
3. You'll see the PIM Quick Start page

Step 1.2: Explore My Roles

1. In PIM, click My roles in the left menu
2. You'll see tabs:
   • Entra ID roles - Your eligible/active directory roles
   • Azure resources - Your eligible/active Azure RBAC roles
   • Groups - Your eligible/active group memberships
3. Note which roles you have as "Eligible" vs "Active"

Step 1.3: Review Current Assignments (Admin View)

1. Click Manage → Entra ID roles
2. Click Roles to see all roles
3. Click Assignments to see all current assignments
4. Use filters to view:
   • Eligible assignments - Users who can activate
   • Active assignments - Users who currently have the role
5. Look for roles with "Permanent" status (no end date)

✅ Checkpoint: You understand the PIM interface and current state

---

Task 2: Configure PIM Settings for Global Administrator

Step 2.1: Access Role Settings

1. In PIM → Manage → Entra ID roles
2. Click Settings
3. Find Global Administrator and click on it
4. Click Edit (or the role name opens settings)

Step 2.2: Configure Activation Settings

Under Activation tab:

Setting	Value
Activation maximum duration (hours)	4
On activation, require	✅ Azure MFA
Require justification on activation	✅ Yes
Require ticket information on activation	☐ No
Require approval to activate	✅ Yes

Step 2.3: Configure Approvers

1. Under "Select approver(s)", click Select member(s)
2. Search for and select the approving admin (yourself or another admin)
3. Click Select

Step 2.4: Configure Assignment Settings

Under Assignment tab:

Setting	Value
Allow permanent eligible assignment	✅ Yes
Expire eligible assignments after	(leave default or set 365 days)
Allow permanent active assignment	☐ No
Expire active assignments after	4 hours
Require Azure MFA on active assignment	✅ Yes
Require justification on active assignment	✅ Yes

Step 2.5: Configure Notifications

Under Notification tab:

• Configure who receives emails for various events
• Recommended: Enable notifications for role activations

Step 2.6: Save Settings

1. Click Update
2. Confirm the settings are saved

✅ Checkpoint: Global Administrator has strict PIM requirements

---

Task 3: Create an Eligible Assignment

Step 3.1: Add Eligible Assignment

1. In PIM → Manage → Entra ID roles → Assignments
2. Click + Add assignments
3. Select role: User Administrator
4. Select member(s): Click, then search for User1
5. Click Next

Step 3.2: Configure Assignment Type

1. Assignment type: Select Eligible
2. Permanently eligible: Leave UNCHECKED
3. Assignment starts: Today
4. Assignment ends: Select a date 6 months from now
5. Click Assign

Step 3.3: Verify Assignment

1. Go to Assignments tab
2. Filter by Eligible assignments
3. Confirm User1 shows as eligible for User Administrator
4. Verify there's NO active assignment for User1

✅ Checkpoint: User1 is eligible but not active for User Administrator

---

Task 4: Configure PIM Settings for User Administrator Role

Step 4.1: Access Settings

1. In PIM → Manage → Entra ID roles → Settings
2. Click User Administrator
3. Click Edit

Step 4.2: Configure Activation

Setting	Value
Activation maximum duration (hours)	8
On activation, require	✅ Azure MFA
Require justification on activation	✅ Yes
Require ticket information	☐ No
Require approval to activate	☐ No

Step 4.3: Configure Assignment

Setting	Value
Allow permanent eligible	✅ Yes
Allow permanent active	☐ No
Expire active assignments after	8 hours

Step 4.4: Configure Notifications

1. Under Notification tab
2. For "Send notifications when eligible members activate this role":
   • Add admin email addresses as recipients
3. Click Update

✅ Checkpoint: User Administrator configured for self-service activation with MFA

---

Task 5: Activate a Role (User Experience)

Step 5.1: Sign In as Eligible User

1. Open InPrivate/Incognito browser
2. Go to https://entra.microsoft.com
3. Sign in as User1 (the eligible user)

Step 5.2: Navigate to My Roles

1. In Entra admin center, search for "PIM" or navigate to:
   • Identity governance → Privileged Identity Management
2. Click My roles
3. Click Entra ID roles tab

Step 5.3: Activate the Role

1. Find User Administrator in the "Eligible assignments" section
2. Click Activate
3. A panel opens on the right

Step 5.4: Complete Activation Form

1. Duration: Select hours (e.g., 2 hours)
   • Note: Cannot exceed maximum set in role settings (8 hours)
2. Reason: Enter justification
   • Example: "Creating test users for Project Alpha development environment"
3. Complete MFA if prompted
4. Click Activate

Step 5.5: Verify Activation

1. Wait a moment for activation to process
2. Refresh the page
3. The role should now appear under Active assignments
4. Note the End time - this is when access automatically expires

Step 5.6: Test the Role

1. Navigate to Identity → Users → All users
2. Try to create a new user (you now have permission)
3. The action should succeed

✅ Checkpoint: User1 successfully activated User Administrator role

---

Task 6: Configure PIM for Azure RBAC Roles

Step 6.1: Discover Azure Resources

1. In PIM → Manage → Azure resources
2. If you see "No resources found":
   • Click Discover resources
   • Select your subscription
   • Click Manage resource
3. Wait for discovery to complete

Step 6.2: Navigate to Resource

1. Click on your subscription (or expand to find a resource group)
2. You'll see the Azure RBAC PIM interface

Step 6.3: Add Eligible Assignment

1. Click Assignments (under the resource)
2. Click + Add assignments
3. Select role: Contributor
4. Select member(s): User2
5. Click Next
6. Assignment type: Eligible
7. Permanently eligible: Uncheck
8. End date: 6 months from now
9. Click Assign

Step 6.4: Configure Role Settings

1. In the Azure resource view, click Settings
2. Click Contributor
3. Click Edit
4. Configure:
   • Maximum activation duration: 8 hours
   • Require MFA: Yes
   • Require justification: Yes
5. Click Update

✅ Checkpoint: User2 can activate Contributor role on Azure resources

---

Task 7: Approve/Deny PIM Requests

Step 7.1: Access Approval Queue

1. Sign in as an approver (the admin designated in role settings)
2. Navigate to PIM → Approve requests
3. You'll see tabs:
   • Entra ID roles
   • Azure resources
   • Groups

Step 7.2: Review Pending Request

1. If there are pending requests, click on one
2. Review:
   • Who is requesting
   • What role they want
   • Their justification
   • Requested duration

Step 7.3: Process the Request

To Approve:

1. Click Approve
2. Add a comment (optional): "Approved for project work"
3. Confirm

To Deny:

1. Click Deny
2. Add a reason (required): "Please submit a ticket first with manager approval"
3. Confirm

Step 7.4: Verify Notification

• Requester receives email notification of decision
• If approved, role is now active for them

✅ Checkpoint: You can process PIM approval requests

---

Task 8: Create an Access Review

Step 8.1: Navigate to Access Reviews

1. In PIM → Manage → Entra ID roles
2. Click Access reviews
3. Click + New

Step 8.2: Configure Review Basics

Field	Value
Review name	Quarterly User Admin Review
Description	Quarterly review of User Administrator role assignments
Start date	Today
Frequency	Quarterly
Duration (days)	14
End	Never (or select an end date)

Step 8.3: Configure Scope

1. Scope: Select User Administrator role
2. Review type: Select assignment types to review:
   • ✅ Active
   • ✅ Eligible

Step 8.4: Configure Reviewers

Setting	Value
Select reviewers	Selected user(s) or group(s) OR Members (self)
Reviewers	Add yourself or a security group
Fallback reviewers	Add backup reviewer

For self-review: Select Members (self)

Step 8.5: Configure Completion Settings

Setting	Value
Auto apply results to resource	✅ Yes
If reviewers don't respond	Remove access
Action to apply on denied guest users	N/A for this role

Step 8.6: Review and Create

1. Click Next: Review + Create
2. Review all settings
3. Click Create

✅ Checkpoint: Access review is scheduled to run quarterly

---

Task 9: Review PIM Audit Logs

Step 9.1: Access Audit History

1. In PIM → Manage → Entra ID roles
2. Click Resource audit or Directory roles audit

Step 9.2: Filter Audit Logs

Use filters to find specific events:

• Activity: Add member to role completed, Remove member from role, Update role settings
• Date range: Last 7 days
• Status: Succeeded, Failed

Step 9.3: Review Key Events

Look for these types of entries:

• Add member to role in PIM completed - When eligible assignment created
• Add member to role completed - When role was activated
• Remove member from role completed - When activation expired or role removed
• Update role settings - When admin changed PIM settings

Step 9.4: Export Audit Data

1. Click Export
2. Download as CSV for compliance reporting

✅ Checkpoint: You can audit all PIM activity

---

Task 10: Configure PIM Alerts

Step 10.1: Access Alerts

1. In PIM → Manage → Entra ID roles
2. Click Alerts
3. You'll see a list of built-in alerts

Step 10.2: Review Built-in Alerts

Alert	Description
Roles are being assigned outside of PIM	Detects direct role assignments bypassing PIM
Potential stale Global Administrator accounts	Accounts not signing in
Too many Global Administrators	More than threshold configured
Administrators aren't using privileged roles	Eligible users not activating
Roles don't require MFA for activation	Security gap

Step 10.3: Configure Alert Settings

1. Click on an alert (e.g., "Too many Global Administrators")
2. Click Setting
3. Configure:
   • Threshold (e.g., alert when more than 5 Global Admins)
   • Whether alert is enabled
4. Click Update

Step 10.4: View Alert Status

• Alerts show Triggered if condition is met
• Click Dismiss to acknowledge (alert will re-trigger if condition persists)
• Click Scan to manually check for issues

✅ Checkpoint: PIM alerts are configured for proactive monitoring

---

Summary Checklist

Task	Status
Explored PIM dashboard	☐
Configured Global Admin role settings	☐
Created eligible assignment for User1	☐
Configured User Administrator settings	☐
Tested role activation as user	☐
Configured PIM for Azure resources	☐
Processed approval request	☐
Created access review	☐
Reviewed PIM audit logs	☐
Configured PIM alerts	☐