Domain 4 of 4 · Chapter 3 of 4

Privileged Identity Management

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Identity and Access Administrator Associate premium course — no separate purchase.

Included in this chapter:

  • Eligible vs active, and the JIT activation flow
  • Role settings: activation and assignment controls
  • PIM for Groups and Azure resource roles
  • Break-glass accounts and exam-pattern recognition

PIM scopes and the eligible vs active model

DimensionPIM for Microsoft Entra rolesPIM for Azure resourcesPIM for Groups
What it makes eligibleDirectory roles (Global Admin, etc.), built-in and customAzure RBAC roles (Owner, Contributor, UAA) at a scopeMembership or ownership of a security or M365 group
Assignment typesEligible or active; permanent or time-boundEligible or active; permanent or time-boundEligible or active; one policy each for member and owner
Activation requirementsPer-role settings: duration 1-24h, MFA/auth context, justification, ticket, approvalPer-role settings at the chosen scope, same controlsPer-group policy, same controls, set separately for member and owner
Who manages itPrivileged Role Administrator or Global AdministratorSubscription admin, resource Owner, or User Access AdministratorGlobal Admin, Privileged Role Admin, or group Owner
Where access landsMicrosoft Entra directory permissionsAzure control-plane permissions at that scopeWhatever the group grants: Entra roles, Azure roles, apps, Key Vault

Decision tree

What needs privilege?pick the PIM scopedirectory roleAzure scopebundle of accessPIM for Entra rolesGlobal Admin, custom rolesPIM for Azure resourcesOwner/Contributor at scopePIM for Groupsmember/owner activationStanding access needed?eligible (JIT) vs activeno, on demandyes, always onEligible assignmentactivate with MFA + reasonActive assignmentrare; prefer time-boundset durationTime-bound or permanent?prefer expiring eligibleAlways: break-glass = permanent active GA, outside PIM + CAtwo or more, cloud-only .onmicrosoft.com, FIDO2

Cheat sheet

  • PIM gives an eligible holder the same access as active, just not all the time
  • PIM requires Microsoft Entra ID P2 (Microsoft Entra ID Governance)
  • Assignment has two axes: type (eligible/active) and duration (permanent/time-bound)
  • Activation maximum duration is 1 to 24 hours
  • Role settings (PIM policies) are per role and inherited by every assignment
  • Use authentication context, not plain require-MFA, to force a fresh prompt at activation
  • The authentication-context MFA backstop does not fire if the CA policy is off or report-only
  • Require ticket information is informational only and never validated
  • Require approval to activate needs named approvers, or admins become default approvers
  • MFA on active assignment is enforced at creation, not at use
  • PIM covers three scopes: Entra roles, Azure resources, and PIM for Groups
  • Managing Entra-role PIM and Azure-resource PIM needs different roles
  • PIM for Groups makes group membership or ownership eligible to grant access downstream
  • Each PIM-enabled group has two policies: one for membership, one for ownership
  • A group need not be role-assignable to be PIM-enabled, but only 500 can be role-assignable
  • For JIT into SharePoint, Exchange, or Purview, use PIM for Entra roles, not PIM for Groups
  • PIM for Azure resources manages RBAC roles at a chosen scope
  • PIM audit history is kept 30 days; route to Azure Monitor for longer
  • Resource audit shows all activity for a resource; My audit shows your own
  • Recertify privileged roles with access reviews of eligible and active assignments
  • Create two or more break-glass accounts as cloud-only and non-federated
  • Assign break-glass accounts permanent active Global Administrator, not eligible
  • Exclude break-glass accounts from Conditional Access policies that block or restrict
  • Monitor break-glass sign-ins and validate the accounts at least every 90 days
  • PIM for Azure resources role settings are per resource and not inherited down scopes
  • Service principals and managed identities can only get active PIM assignments, never eligible
  • A PIM activation is resolved by the first approver, who cannot self-approve, within a fixed 24-hour window

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. What is Privileged Identity Management?
  2. Configure Microsoft Entra role settings in PIM
  3. Privileged Identity Management (PIM) for Groups
  4. View audit log report for Microsoft Entra roles in PIM
  5. Manage emergency access admin accounts in Microsoft Entra ID