Azure AD Privileged Identity Management (PIM) allows just-in-time access to privileged roles in Azure AD and Azure resources. It requires approval and multi-factor authentication to activate time-bound privileged roles. PIM also enables access reviews, notifications, and audit history to provide oversight of privileged access. PIM requires an Azure AD Premium P2, EMS E5, or Microsoft 365 M5 license and designates the first user who enables it as the initial Privileged Role Administrator.

1. Access Security
Privileged Identity
Management

2. Hello!
I am Eng Teong Cheah
Microsoft MVP
2

3. Privileged Identity
Management
3

4. Microsoft’s Zero Trust Model
4

5. Microsoft Identity Management Evolution
5
Traditional Advanced Optimal
MFA is enforced

6. Azure AD Privileged Identity Management (PIM)
6
◎ Provide just-in-time privileged access to Azure AD and Azure
Resources
◎ Assign time-bound access to resources using start and end dates
◎ Require approval to activate privileged roles
◎ Enforce multi-factor authentication to activate any role
◎ Use justification to understand why users activate
◎ Get notifications when privileged roles are activated
◎ Conduct access reviews to ensure users still need roles
◎ Download audit history for internal or external audit

7. PIM Onboarding
7
◎ Azure AD Premium P2, Enterprise Mobility + Security (EMS) E5, or
Microsoft 365 M5 license
◎ The Global administrator (first user) who enables PIM gets write
access
◎ The first user can assign others to the Privileged Role Administrator
◎ Global administrators (not first user), Security administrators, and
Security readers have read-only access
◎ Ensure there are always at least two Privileged Role Administrators

8. PIM Confiuration Settings
8

9. PIM Workflow
9

10. Demostrations
MFA, Conditional Access and AAD Identity
Protection
10

11. Thanks!
Any questions?
You can find me at:
@walkercet
11

12. References
◎ https://docs.microsoft.com/en-us/
12