Unit 2: Define a privileged access strategy for administrative users

What is Privileged Identity Management (PIM)?

Privileged Identity Management (PIM) is a Microsoft Entra ID service designed to manage access to privileged roles and resources. It enables organizations to control, monitor, and audit access to high-impact roles across:

• Microsoft Entra ID (directory roles).
• Azure subscriptions and resources.
• Microsoft 365 services.
• Other Microsoft online services.

Licensing note (exam-critical): PIM requires Microsoft Entra ID Premium P2.

What does PIM do?

PIM reduces risk by enforcing time-bound, approval-based, and monitored access to privileged roles.

Key capabilities include:

• Providing just-in-time privileged access to Microsoft Entra ID and Azure resources.
• Assigning time-bound access using start and end dates.
• Requiring approval before role activation.
• Enforcing multifactor authentication (MFA) during activation.
• Requiring justification for role activation.
• Sending notifications when privileged roles are activated.
• Running access reviews to confirm continued need.
• Providing audit logs and reports for compliance and investigation.

Together, these controls help prevent excessive, unnecessary, or misused administrative permissions.

Identify your stakeholders

Deploying PIM is both a technical and organizational change. Success depends on engaging the correct stakeholders early and clearly defining responsibilities.

Stakeholders for Microsoft Entra roles

Stakeholders for Azure roles

Start using Privileged Identity Management

Before enabling PIM broadly:

• Review the Start using Privileged Identity Management guidance.
• Identify Azure subscriptions and resources to manage.
• Confirm approvals from subscription owners before onboarding Azure resources.
• If necessary, a Global Administrator can temporarily elevate access to discover all Azure subscriptions, but this should be approved in advance.

Enforce the principle of least privilege

The principle of least privilege means users should have only the permissions required, and only for the time they are needed.

Plan least-privilege delegation for Microsoft Entra roles

Many organizations over-assign Global Administrator, even when most admins only need limited permissions.

Recommended approach:

• Understand the granularity of Microsoft Entra roles.
• Use task-based role guidance to assign the least privileged role.
• List all users with privileged roles using PIM Discovery and insights.
• Remove unnecessary Global Administrator assignments.
• Replace broad roles with more specific built-in or custom roles.
• Review and remove stale assignments for all other roles.

Use access reviews to enforce least privilege

PIM integrates with access reviews to automate cleanup:

• Create access reviews for Microsoft Entra roles.
• Set reviewers to Members (self).
• Require justification for approval.
• Remove users who no longer need the role.

Important operational note:

• Access reviews rely on email notifications.
• Privileged accounts must have valid email addresses configured.

Plan Azure resource role delegation

Azure subscriptions often have too many Owner or User Access Administrator assignments.

Best practices include:

• Reviewing Azure role assignments per subscription.
• Working with subscription owners to remove unnecessary roles.
• Prioritizing cleanup for critical subscriptions.
• Using access reviews for Azure roles.

Global Administrators can temporarily elevate access, but should coordinate changes with subscription owners.

Decide which roles should be protected by PIM

Not every role needs PIM, but high-impact roles must be protected.

Microsoft Entra roles commonly protected by PIM

• Global Administrator.
• Security Administrator.
• User Administrator.
• Exchange Administrator.
• SharePoint Administrator.
• Intune Administrator.
• Security Reader.
• Service Administrator.
• Billing Administrator.
• Skype for Business Administrator.

Exam tip: Microsoft recommends starting with Global Administrator and Security Administrator roles.

Roles with guest users assigned should always be managed by PIM.

Azure roles to protect with PIM

Prioritize subscriptions and resources that:

• Host sensitive data.
• Support customer-facing workloads.

At a minimum, protect:

• Owner.
• User Access Administrator.

Service accounts should be treated the same as user accounts.

Decide whether to assign roles to groups

Assigning roles to role-assignable groups is recommended when:

• Many users require the same role.
• You want to delegate membership management.

Key behaviors:

• Group members activate roles individually through PIM.
• The group itself is not activated.
• Group owners manage membership.
• Only specific admins and group owners can manage role-assignable groups.

Microsoft recommends managing role-assignable groups with PIM as privileged access groups.

Decide permanent vs eligible role assignments

• Eligible roles require activation through PIM.
• Permanent roles are always active.

Microsoft recommends:

• Zero standing administrators, except for two emergency access (break-glass) accounts with permanent Global Administrator.

Factors to consider:

• Frequency of role usage.
• Impact on productivity.
• Organizational constraints.

If permanent roles are required, configure recurring access reviews.

Draft your PIM settings

Before implementation, document PIM settings per role, including:

• MFA requirements.
• Approval workflows.
• Activation duration.
• Notifications.
• Incident ticket requirements.
• Eligible vs permanent assignments.

This ensures consistent enforcement and easier audits.