L13. Privileged Identity Management: Just-in-Time Access

What Is PIM?

Privileged Identity Management (PIM) provides just-in-time (JIT) and time-bound access to privileged roles. Instead of permanently assigning admin roles, users are made eligible and must activate the role when they need it. This reduces the attack surface by minimizing standing privileged access. Licensing: Entra ID P2 is required for PIM.

Eligible vs Active Assignments

Exam tip: Eligible assignments are the default and recommended approach. Active assignments should only be used for break-glass accounts or service accounts that cannot perform interactive activation.

PIM Scope

PIM manages two categories of roles:

1. Entra ID roles: Global Administrator, User Administrator, Security Administrator, etc.
2. Azure resource roles: Owner, Contributor, Reader, custom roles at subscription/resource group/resource scope

Activation Workflow

When a user activates an eligible role:

1. User navigates to PIM and selects the role to activate
2. User provides a justification and selects activation duration (within configured limits)
3. If approval is required, the request goes to designated approvers
4. If MFA is required, the user must complete MFA
5. Once approved (or auto-approved), the role is active for the specified duration
6. After the duration expires, the role is automatically deactivated

Role Settings

For each role, you configure:

• Maximum activation duration: How long the role stays active (default: 8 hours, max: 24 hours)
• Require MFA on activation: Forces MFA verification before activation
• Require justification: User must explain why they need the role
• Require approval: One or more approvers must grant the activation request
• Require ticket information: Integrates with ticketing systems (ServiceNow, etc.)
• Allow permanent eligible assignment: Whether eligible assignments can be made without end date
• Allow permanent active assignment: Whether active assignments can be permanent

Exam tip: For the Global Administrator role, Microsoft recommends: require MFA, require approval, set maximum activation to 1 hour, and limit permanent eligible assignments to break-glass accounts only.

PIM Alerts

PIM generates alerts for security concerns:

• Roles being activated too frequently
• Roles assigned outside of PIM
• Potential stale role assignments
• Redundant role assignments
• Too many Global Administrators

Access Reviews in PIM

PIM integrates with access reviews to periodically verify that eligible and active role assignments are still appropriate. You can create recurring access reviews for any PIM-managed role.

PIM for Groups

PIM for Groups extends JIT access to group membership. Users can be made eligible members or eligible owners of a group. When the group is used for role assignment (role-assignable groups), PIM for Groups effectively provides JIT access to any role or permission granted through group membership. Exam tip: PIM for Groups requires the group to be created as a role-assignable group. Regular security groups cannot be managed through PIM. This is a common exam trap.