PIM Overview
PIM Overview

At a time when security breaches seem to be an everyday occurrence, it’s become more and more important to protect resources with more than just a username and password. It’s even more important to protect resources from INTERNAL threats. By implementing Azure AD Privileged Identity Management, organizations can protect their resources with improved security features, and even keep an eye on what legitimate administrators are doing.

In this course, you’ll learn how to implement Azure AD Privileged Identity Management. We’ll start the course by touching on an overview of what Azure AD Privileged Identity Management is and what it offers. We will then work through the deployment of PIM and how it works with multi-factor authentication. As we work through some demos, you will learn how to enable PIM and how to navigate tasks in PIM.

We’ll then cover the activation of roles and the assignment of those roles, including permanent roles and just-in-time roles. We’ll also cover the concepts of updating and removing role assignments, reinforcing these concepts through demonstrations.

We’ll round out the course with supported management scenarios, configuring PIM management access, and how to process requests. 

Learning Objectives

  • Enable PIM
  • Activate a PIM role
  • Configure just-in-time resource access
  • Configure permanent access to resources
  • Configure PIM management access
  • Configure time-bound resource access
  • Create a Delegated Approver account
  • Process pending approval requests

Intended Audience

  • People who want to become Azure cloud architects
  • People who are preparing to take Microsoft’s AZ-101 exam


  • Moderate knowledge of Azure Active Directory

 To see the full range of Microsoft Azure Content, visit the Azure Training Library.


Azure Active Directory Privileged Identity Management, otherwise known as PIM, is an Azure offering that allows you to manage and control access to resources within Azure and Azure AD as well as within other services such as Intune and Office 365. A valid Azure AD Premium P2 license is required for all users that will interact with or benefit from Privileged Identity Management before enabling the service on a tenant. Alternatively, you can assign an Enterprise Mobility + Security E5 license for each user that interacts with Privileged Identity Management. Generally speaking, licensing is required for users that are assigned to the Privileged Role Administrator role or who are assigned as eligible to other directory roles that are manageable through Privileged Identity Management. If a user can approve or reject requests in PIM, that user also requires a license. Users assigned to a role with time-based assignments such as just in time or direct or those assigned to an access review role also require licensing. With Azure AD Privileged Identity Management, an organization can see which users are assigned privileged roles that are used to manage Azure resources. 

Organizations can also see which users are assigned administrative roles within Azure Active Directory. PIM also offers the ability to enable on-demand or just in time administrative access to services such as Office 365 and Intune as well as to Azure resources, Azure subscriptions, resource groups and even individual Azure resources like virtual machines and such. Azure AD Privileged Identity Management offers the ability to view a history of administrator activation, along with a history of changes that administrators have made to Azure resources. Alerts can also be configured to notify you about changes in administrator assignments. PIM also allows you to require approval for activation of Azure AD privileged admin roles to review membership of such administrative roles and to force users to provide justification for ongoing membership in these roles. In Azure Active Directory, PIM can be used to manage users that are assigned to built-in Azure AD roles, such as global admin. In Azure itself, PIM can manage users and groups assigned via Azure RBAC roles such as the owner and contributor roles.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.