Azure Privileged Identity Management(PIM) Deep Dive

Overview

Privileged Identity Management (PIM) provides a time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to important resources.

Since the privileged roles with permanent assignment to user or via groups can make them more vulnerable at security incidents, Microsoft has introduced PIM so that group membership or direct user role assignment can be temporary with fixed duration.

Privileged Identity Management is product feature of Microsoft Entra a.k.a AzureAD. It requires Microsoft Entra ID P2 license to use the feature.

Stages of PIM

It has the following four stages. In this article I will discuss in details, what and how you can configure the required setting for each stage.

⭕ Assign — The administrator look appropriate role with the selected resource and assign the role to user or group. The type of assignment can be either eligible or active. Eligible assignment require member to activate the role. Active will make the assignment permanent.

⭕ Activate — When the role is assigned, user can request activation by providing duration and justification to use the role.

⭕ Approve — The request goes to the approval to either approve or deny.

⭕ Use — When approved, the user can use the role to perform the designated tasks. Also can…