2.2.2. Microsoft Entra Privileged Identity Management (PIM)
đź’ˇ First Principle: Permanent privileged access is a security risk. PIM provides time-bound, approval-based privileged access, reducing the attack surface from compromised privileged accounts.
Scenario: Your security team members need Owner access to investigate incidents, but having permanent Owner access makes their accounts high-value targets. PIM allows them to activate Owner access only when needed.
PIM Key Concepts
- Eligible Assignment: User can activate the role but doesn't have it by default
- Active Assignment: User currently has the role (time-limited)
- Activation: Process of converting eligible to active
- Justification: Reason provided when activating
- Approval: Optional workflow requiring another user to approve activation
PIM Settings
| Setting | Purpose | Recommendation |
|---|---|---|
| Maximum activation duration | How long active access lasts | 8 hours maximum |
| Require justification | Document why access is needed | Always enable |
| Require approval | Second person must approve | Enable for critical roles |
| Require MFA | Verify identity on activation | Always enable |
| Require ticket information | Link to incident/ticket | Enable for audit trail |
Visual: PIM Activation Flow
Visual: PIM Role Assignment Lifecycle
💡 Key Insight: The security value of PIM comes from the Eligible → Active transition being controlled (MFA, justification, approval) and time-limited. Permanent Active assignments bypass all these protections.
⚠️ Exam Trap: Assigning permanent active roles instead of eligible roles. PIM's security benefit comes from time-limited access—permanent assignments bypass this protection.
Key Trade-Offs:
- Security vs. Convenience: Approval workflows improve security but slow down access
- Short Duration vs. Productivity: Shorter activation periods reduce risk but may interrupt work
