====== Azure Privileged Identity Management ======
  * **PIM** (Privilege Identity Management) allows access to be granted in a just-in-time manner. It can apply to AAD roles and general ARM roles.
  * [[https://docs.microsoft.com/en-us/learn/modules/azure-ad-privileged-identity-management/4-privileged-identity-management]]
  * [[https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do]]
  * [[https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-requirements]]
  * PIM is part of zero-trust solution

> To use PIM, you need one of the following paid or trial licenses: Azure AD Premium P2, Enterprise Mobility + Security (EMS) E5, or Microsoft 365 M5


  * PIM is about providing just-in-time (JIT) privileged access to resources.
  * PIM requires a P2 license for Azure AD tenant for all users that use PIM features, except for Global Administrator users (they are exempt from licensing requirement).
  * The activation period can be between 0.5 and 24 hours. Specifies the duration the role can active.
  * Access is time-bounded. Specify a start and end date for when the role can be used. The maximum duration is 1 year.
  * One or more approvers can be designated to activate privileges.
  * Require MFA to activate role.
  * See justification for why a privilege role was used