Introduction to Azure AD Privileged Identity Management


You would agree that in today’s world, Data is the key, and security is the topmost concern for every organization. It nearly is impossible to properly analyze and resolve high volumes of security alert generated by the systems in order to smartly combat and respond to the increasingly sophisticated attacks.

Businesses today are spending more time and effort in defining and implementing security policies to safeguard their intellectual properties and other important data, which is the key asset for any organization and of any size. Stakeholders in the organization work with consultants to implement the security guidelines as solutions as per the industry best practices. This also includes defining users and roles who will have insider access to the company’s sensitive information. This is where Azure AD Privileged Identity Management comes for the rescue.

What does a Privileged Identity Management mean?

Azure Active Directory Privileged Identity Management, commonly called Azure AD PIM, or simply PIM is a service within Azure Active Directory that enables you to manage, monitor, and control access to important Azure resources within the IT landscape of your organization. The resources include – Azure AD, Azure, and other Microsoft online services like- M365, Intune, Exchange Online, etc.

We discussed in the past that there is always a race by the organizations to protect their data and resources as security is their topmost concern. The prima facie objective is to minimize the number of people having access to those sensitive information and resources.

By reducing the number of people who have access, reduces the risk two folds:

  1. Malicious user getting access, who can use phishing or brute force to enter the system and then finding out ways to elevate privilege up until the point where they have an open arena to steal information
  2. Authorized Users, who can by mistake impact the data and resources by either deleting them or by changing/updating them

This can be easily handled by Azure AD Privileged Identity Management, as they allow for the Just in time and time bound access for the users to Azure and Azure AD resources and also helps in monitoring as well. Next, we will see more on how Azure AD PIM may be a life saver for the organizations.

Those of you, who are already aware of Azure Active directory and have experience in provisioning user access through Azure AD might have a question that if the permissions to the Azure AD resources and services can directly be managed from within Azure AD, what is the need for an additional service like PIM to manage permissions? I will admit It’s a great question.

The answer to this question is that with Azure AD, you can grant and revoke permissions, but the permissions once granted is considered as permanent access unless manually removed. On the contrary, if we talk about Azure AD PIM it’s not the case. Azure AD PIM provides time-based and approval-based role activation for the users, groups, devices, applications, and other resources. This greatly helps in mitigating the risk of excessive privileges that are not required and, therefore, cannot be misused.

Comparison: Azure Roles and Azure AD Roles

We discussed previously that with Azure AD Privileged Identity Management you can manage both Azure AD and Azure Roles, but there is always a confusion as to what are the differences between the two and if there are overlaps in the way the permissions and authority is given. So, let’s try to compare them pointwise.

Roles not managed using Azure AD PIM

Let’s discuss about the roles that you cannot manage in Azure AD Privileged Identity Management. These roles are basically classic subscription administrator roles. Although, a detailed description of these roles is out of scope of this course, but let me give you a brief. They are:

  1. Account Administrators – These are conceptually the billing owners and can manage the billing for all subscriptions. They also have the authority to create and cancel subscriptions. They can also change the service administrators. The account that is used to sign up for Azure is assigned the Account Administrator and Service Administrator role
  2. Service Administrators – Manage all the services in Azure, can cancel the subscription and can also assign co-administrators. For any new subscription, by default the account administrator is the service administrator and has the access rights equivalent to the subscription owner role.
  3. Co-Administrators – who have the same access privileges as that of the Service Administrator. They can assign the users to the co-administrator role, but cannot change the service administrators. Also, they cannot change the association of the subscriptions with Azure Directories.

Azure AD PIM Terminologies

Before we wrap-up, let me explain two important terminologies that is used during the role assignments to the administrators.

  1. Eligible – This is the type of role assignment where a user needs to perform one or more actions to activate and use the role. Once those actions are completed, the role type changes from eligible to active. When a user has been made eligible for any role, it simply means that they can activate the role that they were made eligible for when they need to perform any privileged activity.
  2. Active role – This is the type of the role assignment that does not require a user to perform any action to user their assigned privileged roles because their privileged roles are already active.

Apart from the above, there are other terminologies as well, which are different flavors of the role types we just discussed. They are – Assigned, activated, permanent eligible, permanent active, time-bound eligible, time-bound active, Just-in-time access, and Principal of Least Privilege Access.

Configuring Azure AD Privileged Identity Management

One thought on “Introduction to Azure AD Privileged Identity Management

Add yours

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

Up ↑

%d bloggers like this: