L3. PIM & Just-in-Time Access
Course outlineLesson 3 of 18
Privileged Identity Management (PIM) is the AZ-500's answer to standing privilege. Learn eligible vs active assignments, approval workflows, access reviews, and the audit trail the exam expects you to know.
What Is PIM?
Privileged Identity Management (PIM) is an Entra ID service that manages, controls, and monitors access to high-privilege roles. The core idea: no one has permanent admin access. Instead, users are "eligible" for a role and must activate it when needed, which is just-in-time (JIT) access.
Eligible vs Active Assignments
| Type | Behavior |
|---|---|
| Eligible | User can activate the role when needed; it is not active until they do |
| Active | Role is permanently assigned: the user always has it |
Activation Flow
- User navigates to PIM in the Entra portal
- Requests activation and provides a justification (required by default)
- If the role requires approval: an approver is notified and must approve
- Time-bound activation begins (typically 1 to 8 hours, configurable)
- Activation ends automatically; user must re-activate if they need access again
Access Reviews
PIM integrates with Access Reviews to periodically ask role owners whether a user still needs a role. Reviews can be:
- Self-review: the user confirms they still need the role
- Delegated: a manager or reviewer confirms it
- Auto-expire: if no response, access is automatically removed
Audit Trail
PIM maintains a full audit log of every activation, approval, and denial. The exam tests that you know PIM audit logs are separate from the Entra audit log. They are under PIM > Audit > Resource audit, not the main Entra audit logs.
- ✓Eligible = can activate when needed; Active = permanently assigned. Human admins = Eligible
- ✓Activation requires justification by default; optionally requires approver sign-off
- ✓Time-bound activation: 1 to 8 hours configurable; auto-expires without requiring manual removal
- ✓Access Reviews let reviewers periodically confirm role necessity; auto-expire removes on no response
- ✓PIM audit logs are under PIM > Audit > Resource audit: separate from main Entra audit logs
1. In PIM, what is the difference between an 'eligible' and an 'active' role assignment?
2. A PIM activation requires MFA and a business justification. Where is this configured?
3. How long are PIM audit logs retained by default in Entra ID?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.