What Is Azure AD PIM

What is Azure AD Privileged Identity Management?
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that is used to
manage, control, and monitor the access rights of the azure resources.
These resources could be in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365
or Microsoft Intune.
What are Reasons to use to PIM?
Organizations want to minimize the number of people who have access to secure information or
resources, because that reduces the chance of
 A malicious actor getting access

 An authorized user inadvertently impacting a sensitive resource
Which License is required for PIM?
Using this feature requires an Azure AD Premium P2 license.
To use Azure Active Directory (Azure AD) Privileged Identity Management (PIM), a directory must have a
valid license. Furthermore, licenses must be assigned to the administrators and relevant users.
No licenses are required for users who set up PIM, configure policies, receive alerts, and set up access
reviews.
Example license scenarios
Number of
Scenario Calculation licenses
Woodgrove Bank has 10 administrators for
different departments and 2 Global Five licenses for the
Administrators that configure and manage PIM. administrators who are
They make five administrators eligible. eligible 5
Graphic Design Institute has 25 administrators of
which 14 are managed through PIM. Role
activation requires approval and there are three
different users in the organization who can 14 licenses for the eligible
approve activations. roles + three approvers 17
Contoso has 50 administrators of which 42 are

managed through PIM. Role activation requires
approval and there are five different users in the
organization who can approve activations.
Contoso also does monthly reviews of users
assigned to administrator roles and reviewers are 42 licenses for the eligible
the users’ managers of which six are not in roles + five approvers + six
administrator roles managed by PIM. reviewers 53
What does PIM do?
Privileged Identity Management provides time-based and approval-based role activation to mitigate the
risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here
are some of the key features of Privileged Identity Management:
1. Provide just-in-time privileged access to Azure AD and Azure resources

2. Assign time-bound access to resources using start and end dates
3. Require approval to activate privileged roles
4. Enforce multi-factor authentication to activate any role
5. Use justification to understand why users activate
6. Get notifications when privileged roles are activated
7. Conduct access reviews to ensure users still need roles
8. Download audit history for internal or external audit
9. Prevents removal of the last active Global Administrator role assignment
Who can do what?
For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged Role
Administrator or Global Administrator role can manage assignments for other administrators. Global
Administrators, Security Administrators, Global Readers, and Security Readers can also view
assignments to Azure AD roles in Privileged Identity Management.
Users who are Privileged Role Administrators, Security Administrators, or Security Readers do not by
default have access to view assignments to Azure resource roles in Privileged Identity Management.
What is Terminology of the PIM?
Role
Term or assignment
concept category Description
A role assignment that requires a user to perform one or more actions

to use the role. If a user has been made eligible for a role, that means
they can activate the role when they need to perform privileged tasks.
There's no difference in the access given to someone with a
permanent versus an eligible role assignment. The only difference is
eligible Type that some people don't need that access all the time.
A role assignment that doesn't require a user to perform any action to
use the role. Users assigned as active have the privileges assigned to
active Type the role.
The process of performing one or more actions to use a role that a
user is eligible for. Actions might include performing a multi-factor
authentication (MFA) check, providing a business justification, or
activate requesting approval from designated approvers.
assigned State A user that has an active role assignment.
A user that has an eligible role assignment, performed the actions to
activate the role, and is now active. Once activated, the user can use
the role for a pre-configured period of time before they need to
activated State activate again.
permanent
eligible Duration A role assignment where a user is always eligible to activate the role.
permanent A role assignment where a user can always use the role without
active Duration performing any actions.
time-bound A role assignment where a user is eligible to activate the role only
eligible Duration within start and end dates.
time-bound A role assignment where a user can use the role only within start and
active Duration end dates.
A model in which users receive temporary permissions to perform
privileged tasks, which prevents malicious or unauthorized users from
just-in-time gaining access after the permissions have expired. Access is granted
(JIT) access only when users need it.
A recommended security practice in which every user is provided with
only the minimum privileges needed to accomplish the tasks they are
principle of authorized to perform. This practice minimizes the number of Global
least privilege Administrators and instead uses specific administrator roles for
access certain scenarios.
Extend and renew assignments
After you set up your time-bound owner or member assignments, the first question you might ask is
what happens if an assignment expires? In this new version, we provide two options for this scenario:
1. Extend – When a role assignment nears expiration, the user can use Privileged Identity
Management to request an extension for the role assignment
2. Renew – When a role assignment has already expired, the user can use Privileged Identity
Management to request a renewal for the role assignment
Both user-initiated actions require an approval from a Global Administrator or Privileged Role
Administrator. Admins don't need to be in the business of managing assignment expirations. You can
just wait for the extension or renewal requests to arrive for simple approval or denial.
Privileged Role Administrator permissions
1. Enable approval for specific roles

2. Specify approver users or groups to approve requests
3. View request and approval history for all privileged roles
Approver permissions
1. View pending approvals (requests)

2. Approve or reject requests for role elevation (single and bulk)
3. Provide justification for my approval or rejection
Eligible role user permissions
1. Request activation of a role that requires approval

2. View the status of your request to activate
3. Complete your task in Azure AD if activation was approved
Different just-in-time policies for each group
Some organizations use tools like Azure AD business-to-business (B2B) collaboration to invite their
partners as guests to their Azure AD organization. Instead of a single just-in-time policy for all
assignments to a privileged role, you can create two different privileged access groups with their own
policies. You can enforce less strict requirements for your trusted employees, and stricter requirements
like approval workflow for your partners when they request activation into their assigned group.
Activate multiple role assignments in one request
With the privileged access groups preview, you can give workload-specific administrators quick access to
multiple roles with a single just-in-time request. For example, your Tier 3 Office Admins might need just-
in-time access to the Exchange Admin, Office Apps Admin, Teams Admin, and Search Admin roles to
thoroughly investigate incidents daily. Before today it would require four consecutive requests, which
are a process that takes some time. Instead, you can create a role assignable group called “Tier 3 Office
Admins”, assign it to each of the four roles previously mentioned (or any Azure AD built-in roles) and
enable it for Privileged Access in the group’s Activity section. Once enabled for privileged access, you can
configure the just-in-time settings for members of the group and assign your admins and owners as
eligible. When the admins elevate into the group, they’ll become members of all four Azure AD roles.
Invite guest users and assign Azure resource roles in Privileged Identity Management
Azure Active Directory (Azure AD) guest users are part of the business-to-business (B2B) collaboration
capabilities within Azure AD so that you can manage external guest users and vendors as guests in Azure
AD. For example, you can use these Privileged Identity Management features for Azure identity tasks
with guests such as assigning access to specific Azure resources, specifying assignment duration and end
date, or requiring two-step verification on active assignment or activation. For more information on how
to invite a guest to your organization and manage their access
When would you invite guests?
Here are a couple examples of when you might invite guests to your organization:
1. Allow an external self-employed vendor that only has an email account to access your Azure
resources for a project.
2. Allow an external partner in a large organization that uses on-premises Active Directory
Federation Services to access your expense application.
3. Allow support engineers not in your organization (such as Microsoft support) to temporarily
access your Azure resource to troubleshoot issues.

What Is Azure AD PIM

Uploaded by

Copyright:

Available Formats

What Is Azure AD PIM

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

What Is Azure AD PIM

Uploaded by

Copyright:

Available Formats

What is Azure AD Privileged Identity Management?

What are Reasons to use to PIM?

 A malicious actor getting access

Which License is required for PIM?

Using this feature requires an Azure AD Premium P2 license.

Example license scenarios

Contoso has 50 administrators of which 42 are

1. Provide just-in-time privileged access to Azure AD and Azure resources

Who can do what?

What is Terminology of the PIM?

A role assignment that requires a user to perform one or more actions

Privileged Role Administrator permissions

1. Enable approval for specific roles

1. View pending approvals (requests)

Eligible role user permissions

1. Request activation of a role that requires approval

Different just-in-time policies for each group

Activate multiple role assignments in one request

When would you invite guests?

You might also like