Cyber Intelligence
Identity & Access · 30% of exam

L3. PIM & Just-in-Time Access

Course outlineLesson 3 of 18

Privileged Identity Management (PIM) is the AZ-500's answer to standing privilege. Learn eligible vs active assignments, approval workflows, access reviews, and the audit trail the exam expects you to know.

What Is PIM?

Privileged Identity Management (PIM) is an Entra ID service that manages, controls, and monitors access to high-privilege roles. The core idea: no one has permanent admin access. Instead, users are "eligible" for a role and must activate it when needed, which is just-in-time (JIT) access.

Eligible vs Active Assignments

TypeBehavior
EligibleUser can activate the role when needed; it is not active until they do
ActiveRole is permanently assigned: the user always has it
The exam tests when you would use Active vs Eligible. Active is reserved for service accounts or break-glass accounts that cannot tolerate an activation delay. All human admins should be Eligible.

Activation Flow

  1. User navigates to PIM in the Entra portal
  2. Requests activation and provides a justification (required by default)
  3. If the role requires approval: an approver is notified and must approve
  4. Time-bound activation begins (typically 1 to 8 hours, configurable)
  5. Activation ends automatically; user must re-activate if they need access again
Exam tip: PIM sends email notifications on activation by default. Notifications can be sent to approvers, role owners, or both.

Access Reviews

PIM integrates with Access Reviews to periodically ask role owners whether a user still needs a role. Reviews can be:

  • Self-review: the user confirms they still need the role
  • Delegated: a manager or reviewer confirms it
  • Auto-expire: if no response, access is automatically removed

Audit Trail

PIM maintains a full audit log of every activation, approval, and denial. The exam tests that you know PIM audit logs are separate from the Entra audit log. They are under PIM > Audit > Resource audit, not the main Entra audit logs.

Exam Focus Points
  • Eligible = can activate when needed; Active = permanently assigned. Human admins = Eligible
  • Activation requires justification by default; optionally requires approver sign-off
  • Time-bound activation: 1 to 8 hours configurable; auto-expires without requiring manual removal
  • Access Reviews let reviewers periodically confirm role necessity; auto-expire removes on no response
  • PIM audit logs are under PIM > Audit > Resource audit: separate from main Entra audit logs
Knowledge Check

1. In PIM, what is the difference between an 'eligible' and an 'active' role assignment?

2. A PIM activation requires MFA and a business justification. Where is this configured?

3. How long are PIM audit logs retained by default in Entra ID?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.

Start AZ-500 prep free10-day free trial available