Privileged Identity Management (PIM)

AZ-104 Weight: Low - Conceptual understanding only
License Required: Entra ID P2

---

What Is PIM?

PIM provides just-in-time (JIT) privileged access to Azure AD and Azure resources. Instead of permanent admin access, users:

1. Are eligible for a role
2. Activate the role when needed
3. Role expires after a set time

---

Why PIM Matters

Without PIM (Permanent Access)

┌─────────────────────────────────────────────────┐
│  User has Global Admin 24/7/365                 │
│                                                 │
│  Risk: Account compromise = full admin access   │
│  Risk: Accidental changes anytime               │
│  Risk: No audit of "why" access was used        │
└─────────────────────────────────────────────────┘

With PIM (Just-in-Time)

┌─────────────────────────────────────────────────┐
│  User is ELIGIBLE for Global Admin              │
│                                                 │
│  → Needs access? Activates for 4 hours          │
│  → Provides justification                       │
│  → May require approval                         │
│  → May require MFA                              │
│  → Access auto-expires                          │
│                                                 │
│  Result: Minimal standing privilege             │
└─────────────────────────────────────────────────┘

---

Key Concepts

Term	Definition
Eligible	User CAN activate the role when needed
Active	User currently HAS the role (either permanent or activated)
Activation	Process of turning eligible into active
Justification	Reason provided when activating
Approval	Required sign-off from another person
Time-bound	Role automatically expires

---

What PIM Can Protect

1. Entra ID Roles

   • Global Administrator
   • User Administrator
   • Exchange Administrator
   • etc.

2. Azure Resource Roles (RBAC)

   • Owner
   • Contributor
   • Reader
   • Custom roles

3. Groups

   • Privileged Access Groups
   • Role-assignable groups

---

Activation Flow

┌────────────────────────────────────────────────────────────────┐
│                    PIM Activation Flow                         │
├────────────────────────────────────────────────────────────────┤
│                                                                │
│  1. User is ELIGIBLE          ┌──────────────┐                │
│     (no active permissions)   │  No Access   │                │
│                               └──────┬───────┘                │
│                                      │                         │
│  2. User requests activation         ▼                         │
│     • Provides justification  ┌──────────────┐                │
│     • Sets duration           │  Requesting  │                │
│                               └──────┬───────┘                │
│                                      │                         │
│  3. Approval (if required)           ▼                         │
│     • MFA verification        ┌──────────────┐                │
│     • Approver sign-off       │  Activating  │                │
│                               └──────┬───────┘                │
│                                      │                         │
│  4. Role is ACTIVE                   ▼                         │
│     (for specified duration)  ┌──────────────┐                │
│                               │    Active    │                │
│                               │  (4 hours)   │                │
│                               └──────┬───────┘                │
│                                      │                         │
│  5. Auto-expires                     ▼                         │
│                               ┌──────────────┐                │
│                               │   Expired    │                │
│                               │  (Eligible)  │                │
│                               └──────────────┘                │
│                                                                │
└────────────────────────────────────────────────────────────────┘

---

PIM Settings You Can Configure

Role Settings

Setting	Description	Example
Maximum activation duration	How long can role be active	8 hours max
Require justification	Must explain why activating	Yes
Require MFA	MFA needed to activate	Yes
Require approval	Someone must approve	Yes, by Security Admin
Allow permanent assignment	Can assign without expiration	No
Require assignment justification	Explain why assigning to user	Yes

---

Portal Overview (Conceptual)

Accessing PIM

1. Go to Microsoft Entra admin center
2. Navigate to Identity governance > Privileged Identity Management

Key Sections

Section	Purpose
My roles	See roles you're eligible for, activate
Approve requests	Approve others' activation requests
Entra roles	Configure PIM for directory roles
Azure resources	Configure PIM for Azure RBAC
Access reviews	Periodic validation of assignments

---

Example: Setting Up PIM for Global Admin

Goal: No one has permanent Global Admin; must activate when needed

1. Navigate to: PIM > Entra ID roles > Roles > Global Administrator
2. Settings: Click Settings
   • Maximum activation: 4 hours
   • Require MFA on activation: Yes
   • Require justification: Yes
   • Require approval: Yes
   • Approver: Another Global Admin
3. Assignments: Remove permanent, add eligible
   • Remove all Active assignments
   • Add users as Eligible only

Result: User must:

1. Go to PIM > My roles > Activate
2. Complete MFA
3. Provide justification
4. Wait for approval
5. Gets Global Admin for 4 hours
6. Auto-revoked after 4 hours

---

PIM vs Regular Role Assignment

Aspect	Regular Assignment	PIM Assignment
Access type	Permanent or time-bound	Eligible (JIT)
MFA	Not required	Can be required
Justification	Not captured	Required
Approval	Not available	Available
Audit trail	Basic	Comprehensive
Zero standing privilege	No	Yes

---

Access Reviews with PIM

PIM integrates with Access Reviews to periodically validate:

• Are eligible users still appropriate?
• Should active assignments continue?
• Are guest users still needed?

Example: Quarterly review of all Global Admin eligible users

---

Exam Tips for AZ-104

What to know:

• PIM provides just-in-time access
• Requires Entra ID P2 license
• Users can be "eligible" vs "active"
• Activation can require MFA, justification, approval
• Works for both Entra ID roles AND Azure RBAC

What's NOT on AZ-104:

• Detailed PIM configuration
• Access review setup
• PIM alerts and notifications
• PIM API/automation

---

Practice Question

Scenario: Your security team wants to ensure that no one has standing Global Administrator access. Admins should request access when needed, provide justification, and access should expire automatically.

What should you implement?

A) Conditional Access with session timeout
B) Privileged Identity Management with eligible assignments
C) Administrative Units with delegated roles
D) Just-in-time VM access

Answer

B) Privileged Identity Management with eligible assignments

Explanation: PIM is specifically designed for:

• Zero standing privilege (eligible, not active)
• Just-in-time activation
• Justification requirement
• Automatic expiration

Conditional Access controls sign-in, not role duration. Admin Units delegate scope, not time-bound access. JIT VM access is for VMs, not Entra roles.

---

Summary

Feature	Purpose
Eligible assignments	User CAN have access, but doesn't currently
Activation	Turning eligible into active
Time-bound	Access automatically expires
Justification	Audit trail of why access was needed
Approval workflow	Second person validates need
Access reviews	Periodic validation of assignments

Key takeaway: PIM implements the principle of least privilege by providing just-in-time, just-enough access for privileged roles.