What Is Azure AD PIM
What Is Azure AD PIM
What Is Azure AD PIM
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that is used to
manage, control, and monitor the access rights of the azure resources.
These resources could be in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365
or Microsoft Intune.
Organizations want to minimize the number of people who have access to secure information or
resources, because that reduces the chance of
To use Azure Active Directory (Azure AD) Privileged Identity Management (PIM), a directory must have a
valid license. Furthermore, licenses must be assigned to the administrators and relevant users.
No licenses are required for users who set up PIM, configure policies, receive alerts, and set up access
reviews.
Number of
Scenario Calculation licenses
Woodgrove Bank has 10 administrators for
different departments and 2 Global Five licenses for the
Administrators that configure and manage PIM. administrators who are
They make five administrators eligible. eligible 5
Graphic Design Institute has 25 administrators of
which 14 are managed through PIM. Role
activation requires approval and there are three
different users in the organization who can 14 licenses for the eligible
approve activations. roles + three approvers 17
Privileged Identity Management provides time-based and approval-based role activation to mitigate the
risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here
are some of the key features of Privileged Identity Management:
For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged Role
Administrator or Global Administrator role can manage assignments for other administrators. Global
Administrators, Security Administrators, Global Readers, and Security Readers can also view
assignments to Azure AD roles in Privileged Identity Management.
Users who are Privileged Role Administrators, Security Administrators, or Security Readers do not by
default have access to view assignments to Azure resource roles in Privileged Identity Management.
Role
Term or assignment
concept category Description
After you set up your time-bound owner or member assignments, the first question you might ask is
what happens if an assignment expires? In this new version, we provide two options for this scenario:
1. Extend – When a role assignment nears expiration, the user can use Privileged Identity
Management to request an extension for the role assignment
2. Renew – When a role assignment has already expired, the user can use Privileged Identity
Management to request a renewal for the role assignment
Both user-initiated actions require an approval from a Global Administrator or Privileged Role
Administrator. Admins don't need to be in the business of managing assignment expirations. You can
just wait for the extension or renewal requests to arrive for simple approval or denial.
Some organizations use tools like Azure AD business-to-business (B2B) collaboration to invite their
partners as guests to their Azure AD organization. Instead of a single just-in-time policy for all
assignments to a privileged role, you can create two different privileged access groups with their own
policies. You can enforce less strict requirements for your trusted employees, and stricter requirements
like approval workflow for your partners when they request activation into their assigned group.
With the privileged access groups preview, you can give workload-specific administrators quick access to
multiple roles with a single just-in-time request. For example, your Tier 3 Office Admins might need just-
in-time access to the Exchange Admin, Office Apps Admin, Teams Admin, and Search Admin roles to
thoroughly investigate incidents daily. Before today it would require four consecutive requests, which
are a process that takes some time. Instead, you can create a role assignable group called “Tier 3 Office
Admins”, assign it to each of the four roles previously mentioned (or any Azure AD built-in roles) and
enable it for Privileged Access in the group’s Activity section. Once enabled for privileged access, you can
configure the just-in-time settings for members of the group and assign your admins and owners as
eligible. When the admins elevate into the group, they’ll become members of all four Azure AD roles.
Invite guest users and assign Azure resource roles in Privileged Identity Management
Azure Active Directory (Azure AD) guest users are part of the business-to-business (B2B) collaboration
capabilities within Azure AD so that you can manage external guest users and vendors as guests in Azure
AD. For example, you can use these Privileged Identity Management features for Azure identity tasks
with guests such as assigning access to specific Azure resources, specifying assignment duration and end
date, or requiring two-step verification on active assignment or activation. For more information on how
to invite a guest to your organization and manage their access
Here are a couple examples of when you might invite guests to your organization:
1. Allow an external self-employed vendor that only has an email account to access your Azure
resources for a project.
2. Allow an external partner in a large organization that uses on-premises Active Directory
Federation Services to access your expense application.
3. Allow support engineers not in your organization (such as Microsoft support) to temporarily
access your Azure resource to troubleshoot issues.