====== Privileged Identity Management ======
  * **PIM** (Privilege Identity Management) allows access to be granted in a just-in-time manner. It can apply to AAD roles and general ARM roles.
  * [[https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure]]
  * [[https://docs.microsoft.com/en-us/learn/modules/azure-ad-privileged-identity-management/4-privileged-identity-management]]
  * [[https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do]]
  * [[https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-requirements]]
  * PIM is part of zero-trust solution

> To use PIM, you need one of the following paid or trial licenses: Azure AD Premium P2, Enterprise Mobility + Security (EMS) E5, or Microsoft 365 M5

> For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.

  * PIM is about providing just-in-time (JIT) privileged access to resources.
  * PIM requires a P2 license for Azure AD tenant for all users that use PIM features, except for Global Administrator users (they are exempt from licensing requirement).
  * To initially setup PIM a Global Admin needs to click the //Consent to PIM// option in the portal.
  * To configure PIM for a user requires the Global Admin role.

  * The activation period can be between 0.5 and 24 hours. Specifies the duration the role can active.
  * Access is time-bounded. Specify a start and end date for when the role can be used. The maximum duration is 1 year.
  * One or more approvers can be designated to activate privileges.
  * PIM requires MFA to activate role.
  * See justification for why a privilege role was used

  * If require MFA is configured as a requirement for PIM a user will be prompted for MFA even if they are not setup for it. **Need to confirm**
  * Even if a user is in the approver group they cannot approve their own requests. **Need to confirm**
  * If a user's assignment type is **Active** then they are not subjected to PIM requirements (e.g. MFA) since they are already assigned the permission.
  * If a user is both **eligible** and **active** they cannot activate the a role because it is already active for them.

====== Alerts ======
These are alerts PIM can generate.
  * Roles don't require multi-factor authentication for activation
  * Eligible administrators aren't activating their privileged role
  * Potential stale accounts in a privileged role