PIM

Privileged Identity Management documentation

About Privileged Identity Management

OVERVIEW

  • What is Azure AD Privileged Identity Management?
  • Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. The following video introduces you to important PIM concepts and features.
  • Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM).

 Here are some of the key features of Privileged Identity Management:

  • Provide just-in-time privileged access to Azure AD and Azure resources
  • Assign time-bound access to resources using start and end dates
  • Require approval to activate privileged roles
  • Enforce multi-factor authentication to activate any role
  • Use justification to understand why users activate
  • Get notifications when privileged roles are activated
  • Conduct access reviews to ensure users still need roles
  • Download audit history for internal or external audit
  • Prevents removal of the last active Global Administrator role assignment

As an administrator, you’ll choose between options such as managing Azure AD roles, managing Azure resource roles, or privileged access groups.

Who can do what?

For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.

For Azure resource roles in Privileged Identity Management, only a subscription administrator, a resource Owner, or a resource User Access administrator can manage assignments for other administrators. Users who are Privileged Role Administrators, Security Administrators, or Security Readers do not by default have access to view assignments to Azure resource roles in Privileged Identity Management.

Terminology

CONCEPT

VIDEO

Get started

HOW-TO GUIDE

Activate my roles (eligible and active role users)

HOW-TO GUIDE

Assign roles

HOW-TO GUIDE

Approve requests

HOW-TO GUIDE

Configure role settings

HOW-TO GUIDE