Privileged Identity Management

• PIM (Privilege Identity Management) allows access to be granted in a just-in-time manner. It can apply to AAD roles and general ARM roles.
• https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
• https://docs.microsoft.com/en-us/learn/modules/azure-ad-privileged-identity-management/4-privileged-identity-management
• https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do
• https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-requirements
• PIM is part of zero-trust solution

To use PIM, you need one of the following paid or trial licenses: Azure AD Premium P2, Enterprise Mobility + Security (EMS) E5, or Microsoft 365 M5

• PIM is about providing just-in-time (JIT) privileged access to resources.
• PIM requires a P2 license for Azure AD tenant for all users that use PIM features, except for Global Administrator users (they are exempt from licensing requirement).
• The activation period can be between 0.5 and 24 hours. Specifies the duration the role can active.
• Access is time-bounded. Specify a start and end date for when the role can be used. The maximum duration is 1 year.
• One or more approvers can be designated to activate privileges.
• Require MFA to activate role.
• See justification for why a privilege role was used

• If require MFA is configured as a requirement for PIM a user will be prompted for MFA even if they are not setup for it. Need to confirm
• Even if a user is in the approver group they cannot approve their own requests. Need to confirm
• If a user's assignment type is Active then they are not subjected to PIM requirements (e.g. MFA) since they are already assigned the permission.
• If a user is both eligible and active they cannot activate the a role because it is already active for them.