Microsoft Azure — Privileged Identity Management (PIM)
PIM, just-in-time access, time-bound activation, approval workflows, and access reviews..
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
- ✓Azure subscription with Azure AD Premium P2 licenses, Azure CLI (version 2.50+), PowerShell 7+ with AzureADPreview module (version 2.0.2.138+), access to Azure Portal with Global Administrator or Privileged Role Administrator role, basic understanding of Azure RBAC and Azure AD.
Azure is Microsoft's cloud computing platform offering over 200 services. This article covers privileged identity management (pim) with production-ready configurations, best practices, and hands-on examples.
Why PIM Exists: The Problem of Standing Admin Access
In any Azure environment, the most common security failure is not a sophisticated attack—it's an admin who leaves a browser tab open, or a service principal with Contributor rights that never gets rotated. Standing admin access means every credential is a ticking bomb. Privileged Identity Management (PIM) solves this by enforcing just-in-time (JIT) activation: users get elevated roles only when needed, for a limited time, and with approval workflows. Without PIM, you're one leaked token away from a full subscription compromise. I've seen orgs lose entire resource groups because a Global Admin's session was hijacked. PIM is not optional for any production Azure environment.
PIM Architecture: Roles, Assignments, and Activation Policies
PIM operates on three core concepts: eligible assignments, active assignments, and activation policies. An eligible assignment means a user can request activation for a role, but doesn't have it until approved. Active assignments are permanent—avoid these for humans. Activation policies define max duration (typically 1-8 hours), approval requirements (e.g., must be approved by a security team member), and justification (ticket number, reason). You can also enforce multi-factor authentication (MFA) and conditional access during activation. The architecture is simple: Azure AD holds the role definitions, PIM manages the time-bound grants, and Azure RBAC enforces the permissions. Always use eligible assignments for human users; reserve active assignments for service principals that cannot perform interactive activation.
Configuring PIM in the Azure Portal: Step-by-Step
To configure PIM, navigate to Azure AD > Privileged Identity Management > Azure AD roles. First, enable PIM for your directory (one-time). Then, under 'Roles', select a role (e.g., Global Administrator) and add an eligible member. Set the activation max duration to 4 hours, require approval from a specific group (e.g., 'PIM Approvers'), and enforce MFA. For Azure resource roles (e.g., subscription Owner), go to 'Azure resources' tab, select your subscription, and manage roles similarly. Always test with a non-production user first. I've seen admins accidentally lock themselves out by removing their own permanent access without setting up an eligible assignment. Have a break-glass account with permanent access for emergencies.
Automating PIM with PowerShell and Azure CLI
Manual configuration doesn't scale. Use PowerShell or Azure CLI to automate PIM assignments. For Azure AD roles, use the AzureADPreview module (Open-AzureADPrivilegedRoleAssignmentRequest). For Azure resource roles, use az rest with role management policies. Automate the creation of eligible assignments for new hires, and removal on termination. Also automate approval workflows: you can use Logic Apps to send approval requests to Teams or email. I recommend storing PIM configuration as code in a Git repo, using Azure DevOps pipelines to apply changes. This ensures auditability and consistency. Never manually assign roles in production—it's error-prone and untraceable.
Approval Workflows and Justification Requirements
PIM allows you to require approval for activation. This is critical for high-risk roles like Global Administrator or Subscription Owner. Configure approval groups (e.g., 'PIM Approvers') and require a justification (ticket number, reason). Approvers receive email notifications and can approve via Azure Portal or email. For maximum security, enforce that approvers are different from requestors (no self-approval). Also set a maximum activation duration (e.g., 1 hour) and require MFA. I've seen orgs skip approval for 'low-risk' roles like Security Reader—don't. Every activation should be approved and logged. Use Azure Monitor to alert on activations outside business hours.
Monitoring and Auditing PIM Activations
PIM logs all activations to the Azure AD audit logs and Azure Monitor. You must set up alerts for suspicious activations: multiple activations in a short period, activations from unusual locations, or activations outside business hours. Use Azure Monitor Workbooks to create dashboards showing activation trends. Also export logs to a SIEM (e.g., Sentinel) for correlation. I've seen orgs ignore PIM audit logs until a breach occurs. Regularly review who has eligible assignments—stale assignments are a risk. Automate monthly reports of all eligible assignments and their last activation date. Remove assignments that haven't been used in 90 days.
PIM for Azure Resources vs Azure AD Roles
PIM supports two scopes: Azure AD roles (e.g., Global Admin, User Admin) and Azure resource roles (e.g., Subscription Owner, Resource Group Contributor). The configuration is similar but there are nuances. For Azure AD roles, activation applies directory-wide. For Azure resources, you can scope to a specific subscription or resource group. This allows granular JIT access. For example, a developer might have eligible Contributor on a dev subscription but not prod. Always use the narrowest scope possible. Also note that PIM for Azure resources requires Azure AD Premium P2. I've seen orgs enable PIM for Azure AD roles but forget to protect Azure resources—attackers pivot through resource permissions.
Emergency Access: Break-Glass Accounts and PIM
Even with PIM, you need emergency access accounts that bypass PIM in case of an outage (e.g., Azure AD is down, PIM service degraded). These break-glass accounts should have permanent Global Administrator rights, but be tightly controlled: use complex passwords (20+ characters), store in a physical safe, require two-person approval to use, and audit every usage. PIM can also be used for break-glass by having a separate tenant or using cloud-only accounts. I've seen orgs rely solely on PIM and get locked out when Azure AD experiences a regional outage. Always have a break-glass plan. Test it quarterly.
PIM Best Practices for Production Environments
Based on real-world failures, here are non-negotiable best practices: (1) Never assign permanent active roles to humans. (2) Set activation max duration to 1 hour for critical roles, 4 hours for others. (3) Require approval for all roles with write permissions. (4) Enforce MFA on activation. (5) Use conditional access to restrict activation to trusted locations. (6) Automate assignment lifecycle with HR integration. (7) Monitor and alert on all activations. (8) Regularly review eligible assignments and remove unused ones. (9) Have break-glass accounts. (10) Test your PIM configuration quarterly with a red team exercise. I've seen every one of these violated in production, leading to incidents.
| File | Command / Code | Purpose |
|---|---|---|
| check-pim-status.sh | az rest --method get --uri "https://management.azure.com/providers/Microsoft.Aut... | Why PIM Exists |
| Set-PIMEligibleAssignment.ps1 | Connect-AzureAD | PIM Architecture |
| enable-pim-resource.sh | az rest --method put --uri "https://management.azure.com/subscriptions/{subscrip... | Configuring PIM in the Azure Portal |
| Remove-PIMEligibleAssignment.ps1 | Connect-AzureAD | Automating PIM with PowerShell and Azure CLI |
| approval-workflow-policy.json | { | Approval Workflows and Justification Requirements |
| pim-activation-alert.kql | AuditLogs | Monitoring and Auditing PIM Activations |
| pim-resource-scope.sh | az role assignment create --assignee "user@contoso.com" --role "Contributor" --s... | PIM for Azure Resources vs Azure AD Roles |
| break-glass-audit.ps1 | Get-AzureADAuditSignInLogs -Filter "userPrincipalName eq 'break-glass@contoso.co... | Emergency Access |
| pim-best-practices-policy.json | { | PIM Best Practices for Production Environments |
Key takeaways
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
That's Azure. Mark it forged?
3 min read · try the examples if you haven't