Microsoft Azure Security Technologies (AZ-500): Privileged Identity Management (PIM)

What does it do?

Here are some of the key features of Privileged Identity Management:

• Provide just-in-time privileged access to Azure AD and Azure resources
• Assign time-bound access to resources using start and end dates
• Require approval to activate privileged roles
• Enforce multi-factor authentication to activate any role
• Use justification to understand why users activate
• Get notifications when privileged roles are activated
• Conduct access reviews to ensure users still need roles
• Download audit history for internal or external audit

Tips: Always assign privileged roles using PIM.

How to access PIM?

In the Azure portal, search for “Azure AD Privileged Identity Management”.

1. Assign user with PIM access:

• Azure AD PIM → Azure AD Roles → Roles → Add Assignments.
• We can assign two types of assignments to the user:

Eligible — This role assignment requires user to perform one or more actions to use this role.

Active — A role assignment that does not require the user to perform any action to use the role.

Permanent — Give a user permanent assignment to a role.

2. Configuration policy for particular Azure AD Role:

• Azure AD PIM → Azure AD Roles → Roles → Global Reader → Settings.

References

What is Privileged Identity Management? — Azure AD | Microsoft Docs