Unit 3: Configure Privileged Identity Management for Azure resources
Privileged Identity Management (PIM) for Azure resources extends the same just-in-time, approval-based, and auditable access model used for Microsoft Entra roles to Azure subscriptions, management groups, and resources.
This capability is especially useful for:
- Organizations already using PIM to protect Microsoft Entra directory roles.
- Management group owners and subscription owners responsible for securing production environments.
- Environments where Owner and User Access Administrator roles must be tightly controlled.
Unlike Microsoft Entra roles, Azure role assignments directly control access to infrastructure and workloads. Improperly managed Azure roles can result in data exposure, service outages, or unauthorized changes to critical systems.
When to configure PIM for Azure resources
You should configure PIM for Azure resources when:
- You want to eliminate permanent Owner or User Access Administrator assignments.
- You need approval and MFA for sensitive infrastructure actions.
- You want audit visibility into who elevated access and when.
- You are securing production subscriptions or management groups.
Best practice:
There is no technical limit to how many Azure resources can be managed by PIM, but Microsoft recommends starting with your most critical production resources and expanding gradually.
Discover Azure resources for PIM management
Before Azure resources can be protected by PIM, they must be discovered and onboarded into PIM. Discovery identifies management groups and subscriptions that you have permission to manage.
Required permissions
To discover and manage Azure resources in PIM, you must be:
- A Global Administrator (with elevated access), or
- An Owner of the subscription or management group.
Step-by-step: Discover Azure resources
- Sign in to the Microsoft Entra admin center.
- Open Microsoft Entra Privileged Identity Management.
- Select Azure resources.
- If this is your first time configuring PIM for Azure resources, the Discover resources page appears automatically.
- If Azure resources are already being managed by another administrator, you’ll see a list of resources currently under PIM management instead.
Launch the discovery experience
- Select Discover resources.
This opens the discovery interface where you can identify resources eligible for PIM management.
Filter and select resources
- On the Discovery page:
- Use Resource state to filter managed vs unmanaged resources.
- Use Select resource type to filter by:
- Management groups.
- Subscriptions.
- Initially, it’s recommended to select All to see everything you can manage.
- Search for and select the management groups or subscriptions you want to protect with PIM.
Important concept:
When you manage a management group or subscription in PIM, you can also manage its child resources.
Manage selected resources
- Select one or more unmanaged resources.
- Select Manage resource.
If prompted to confirm onboarding:
- Review the confirmation message.
- Select Yes to onboard the selected resource(s).
Once confirmed, the selected Azure resources are now under PIM management.
Managing child resources
When a management group or subscription is managed by PIM:
- Child resources can also be managed through PIM.
- Newly created child resources are not automatically onboarded.
- To manage a new child resource:
- Search for it in Azure resources within PIM.
- Explicitly add it under PIM management.
This ensures deliberate control over which resources are governed by PIM.
What changes after onboarding Azure resources into PIM
Once an Azure resource is managed by PIM:
- Role assignments can be configured as:
- Eligible (just-in-time).
- Active (time-bound or permanent, if required).
- Role activation can require:
- MFA.
- Approval.
- Justification.
- Elevation activity is:
- Logged.
- Auditable.
- Reviewable through PIM reports.
Key takeaways for Unit 3
- PIM for Azure resources protects infrastructure-level permissions.
- Discovery is required before a resource can be governed by PIM.
- Start with critical subscriptions and management groups.
- Managing a parent resource allows management of child resources.
- PIM enforces least privilege, time-bound access, and auditability for Azure roles.