PIM (Privileged Identity Management) Token Refresh and Lifetime

PIM Token Refresh & Lifetime

With PIM (Privileged Identity Management), admins can decrease the attack surface by limiting the time when privileges can be used.

One example could be Jane from the helpdesk, who has been assigned the User Administrator role.

With PIM configured, Jane will have to explicitly request to use the User Administrator role for a limited time.

Outside the requested time, Jane won’t be able to use the role. Or will she…?

PIM Token Refresh

All actions toward Azure AD graph resources require a valid access token.

When using PIM, you must request a fresh access token after the role has been assigned via PIM.

Any session running with a token obtained before PIM activation will not be able to utilize the privileges of the assigned role.

In the Azure Portal, the browser is kind enough to perform the token refresh after the role assignment:

PIM activation in the Azure Portal.
Click to enlarge

But keep in mind the token refreshing is application specific. So depending on the application, you may need to take additional steps after assigning the PIM role.

PIM Token Lifetime

What about the expiry (or explicit deactivation) of the PIM-assigned privileges?

Basically, the same rule of thumb applies:

The access token will not reflect the PIM expiration status before the token is refreshed.

With a default token lifetime of one hour, the user can continue to perform privileged actions for up to one hour after the PIM role assignment expires.

There are some exceptions to this rule. The following actions will (almost) immediately invalidate the token:

  • Disabling or deleting the user account.
  • Password change or reset.
  • Enabling of MFA.
  • Explicit token revocation.
  • High user risk detection by Azure AD Identity Protection.

These events are commonly known as CAE (Continous Access Evaluation).

Using Easy365Manager With PIM

Easy365Manager is a snap-in for AD Users & Computers that consolidates your Active Directory and Office 365 management.

Easy365Manager can be used with PIM as it is built on native Microsoft security APIs.

With Easy365Manager, you can perform all day-to-day management of Office 365 mailboxes directly from AD user properties.

This even includes tasks like calendar delegation, which usually requires complex PowerShell scripting:

With Easy365Manager, your helpdesk users get the benefit of doing all Office 365 management from the intuitive interface of AD – this will instantly improve their efficiency.

Additionally, you can remove your on-premises Exchange Server.

Download a fully functional 30-day trial here.

Easy365Manager does not make any infrastructure changes and can run on any system with AD Users & Computers. It only takes a few minutes to install and configure.

Read more about Easy365Manager here.