Privileged Identity Management (PIM) is a technology used to manage and monitor account privileges in your Azure AD domain.
Privileges refer to Azure AD Roles, e.g. User Management, Exchange Recipient Management, etc.
The two main features are:
- Require that users enable privileges before use (like the ability to create user accounts).
- Monitor who used privileges and when.
Additionally, PIM provides an overview of which user accounts possess various admin privileges, enabling you to revoke any obsolete delegation.
To use PIM, you must have an Azure AD Premium P2 license.
Have a look at this article to see how you identify your Azure AD license and get an overview of the main differences between the Free/Basic, P1, and P2 licenses.
Enabling PIM for an Azure AD Role Assignment
In the following example, we will configure the User Management role for the user adm.msk with PIM.
As a result, the admin user adm.msk will become a member of the User Administrator role but will be required by PIM to explicitly enable the role before use.
The first step is to log in to the Azure Portal and search for the PIM management blade:
Alternatively, use this direct link to open up Azure AD Privileged Identity Management:
Click on Roles and locate the Azure AD role you want to delegate with PIM. In this example we use the User Administrator role:
Click Add assignments to assign the role to a new user:
Click on No members selected and locate the user you want to assign the role:
Review the selected user is correct and click on Next:
Here comes the actual PIM configuration.
Select between Eligible and Active:
- Eligible means the role is assigned with PIM, and the user must enable the role before use.
- Active means the role is assigned and active (without enabling it via PIM).
Also, you must select the maximum allowed eligible/active duration:
- Permanent means it’s permanently eligible/active (until an admin disables it again).
- Assignment starts/ends mean the assignment will start and end at the designated time.
Use a start and end date when it is known, e.g., when a project is running or an external consultant needs the access temporarily.
After you have clicked Assign, you’ll return to the Assignments:
How to Activate PIM Before Using an Admin Role
When PIM has been configured for an Azure AD Role, the user must now use PIM to activate the role before use.
The user activates the Azure AD Role by logging in to Azure AD Privileged Management (the same place where PIM was set up for the user by the global admin).
In the following example, we’ll log in as the adm.msk that was configured with PIM in the previous step and activate the Azure AD Role.
Log in to the Azure Portal and go to the PIM management blade.
Select My roles, select Eligible assignments, identify the role you want to activate, and click Activate:
You can limit the amount of time you wish to activate the role.
For a minor change, 30 minutes may be enough. To start a workday filled with user management, you may want to select eight hours.
Type in a reason why you want to activate the role. This is used for logging the activity.
Once you click Activate, the role is activated. This may take a few seconds:
Reloading the web page will give you an overview of your roles, and you should be able to verify the role has now been activated:
The above guides demonstrated how to use a Global Admin (or PIM admin) to set up PIM for an admin user.
To see how admins activate PIM once it has been assigned, have a look at this article.
PIM will help you limit the amount of time when your admin accounts are able to perform privileged actions.
This will decrease the attack surface of your environment but with the cost of some administrative overhead.
Also, you’ll need the Azure AD Premium P2 license to be able to use PIM.