Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.3.4. Identity Governance: PIM and Audit Logs

šŸ’” First Principle: Permanent admin access is a security liability ā€” the longer elevated privileges exist, the larger the attack surface. Privileged Identity Management (PIM) solves this with just-in-time access: admins activate elevated roles only when needed, for a limited time, and with approval if required. Audit logs provide the historical record of who did what.

Think of PIM like a secure key lockbox. Instead of giving a contractor a permanent building key, you issue a time-limited key that expires after 2 hours and logs every time it's used. If the key is stolen, the damage is bounded. If something goes wrong, you have a record.

PIM capabilities:
  • Just-in-time (JIT) access: eligible admins activate a role when needed; it expires automatically
  • Time-bound assignments: roles can be active for a set duration (e.g., 1 hour, 8 hours)
  • Approval workflows: sensitive roles require manager or peer approval before activation
  • MFA on activation: require MFA before elevated access is granted
  • Access reviews: periodic reviews ensure that eligible role assignments are still appropriate

Audit logs in Microsoft Entra record two types of activity:

  • Sign-in logs: every authentication attempt ā€” who signed in, from where, with what method, and whether it succeeded
  • Audit logs: every administrative action ā€” who changed what configuration, when

These logs are the foundation for security investigations, compliance reviews, and incident response. In Microsoft Purview, the Unified Audit Log captures activity across M365 workloads (Exchange, SharePoint, Teams, Entra) in one searchable place.

āš ļø Exam Trap: PIM requires Microsoft Entra ID P2 licensing (included in E5, or as an add-on). If a question asks about just-in-time access for Azure AD roles and the answer options include features that require P2, verify the licensing context.

Reflection Question: An admin activates the Global Administrator role using PIM to make a configuration change, then forgets to deactivate it. What PIM feature ensures the elevated access is automatically removed, and how long is the maximum default active duration?

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications