top of page

What is Azure AD Privileged Identity Management (PIM)?

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. The following video introduces you to important PIM concepts and features.

Reasons to use

Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Azure AD, Azure, Microsoft 365, or SaaS apps. Organizations can give users just-in-time privileged access to Azure resources and Azure AD. There is a need for oversight for what those users are doing with their administrator privileges.

What does it do?

Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:

  • Provide just-in-time privileged access to Azure AD and Azure resources

  • Assign time-bound access to resources using start and end dates

  • Require approval to activate privileged roles

  • Enforce multi-factor authentication to activate any role

  • Use justification to understand why users activate

  • Get notifications when privileged roles are activated

  • Conduct access reviews to ensure users still need roles

  • Download audit history for internal or external audit

What can I do with it?

Once you set up Privileged Identity Management, you'll see Tasks, Manage, and Activity options in the left navigation menu. As an administrator, you'll choose between options such as managing Azure AD roles, managing Azure resource roles, or privileged access groups. When you choose what you want to manage, you see the appropriate set of options for that option.


Privileged Identity Management supports the following scenarios:

Privileged Role administrator permissions

  • Enable approval for specific roles

  • Specify approver users or groups to approve requests

  • View request and approval history for all privileged roles

Approver permissions

  • View pending approvals (requests)

  • Approve or reject requests for role elevation (single and bulk)

  • Provide justification for my approval or rejection

Eligible role user permissions

  • Request activation of a role that requires approval

  • View the status of your request to activate

  • Complete your task in Azure AD if activation was approved

License requirements

This feature requires an Azure AD Premium P2 license.

170 views0 comments

Recent Posts

See All

Prerequisites for Hybrid Azure AD

In a similar way to a user, a device is another core identity you want to protect and use it to protect your resources at any time and from any location. You can accomplish this goal by bringing and m


bottom of page