PIM & Just-in-Time Access: AZ-500 Exam Essentials

What Is PIM?

Privileged Identity Management (PIM) is an Entra ID service that manages, controls, and monitors access to high-privilege roles. The core idea: no one has permanent admin access. Instead, users are "eligible" for a role and must activate it when needed, which is just-in-time (JIT) access.

Eligible vs Active Assignments

The exam tests when you would use Active vs Eligible. Active is reserved for service accounts or break-glass accounts that cannot tolerate an activation delay. All human admins should be Eligible.

Activation Flow

1. User navigates to PIM in the Entra portal
2. Requests activation and provides a justification (required by default)
3. If the role requires approval: an approver is notified and must approve
4. Time-bound activation begins (typically 1 to 8 hours, configurable)
5. Activation ends automatically; user must re-activate if they need access again

Exam tip: PIM sends email notifications on activation by default. Notifications can be sent to approvers, role owners, or both.

Access Reviews

PIM integrates with Access Reviews to periodically ask role owners whether a user still needs a role. Reviews can be:

• Self-review: the user confirms they still need the role
• Delegated: a manager or reviewer confirms it
• Auto-expire: if no response, access is automatically removed

Audit Trail

PIM maintains a full audit log of every activation, approval, and denial. The exam tests that you know PIM audit logs are separate from the Entra audit log. They are under PIM > Audit > Resource audit, not the main Entra audit logs.