Supported Management Scenarios
Start course

At a time when security breaches seem to be an everyday occurrence, it’s become more and more important to protect resources with more than just a username and password. It’s even more important to protect resources from INTERNAL threats. By implementing Azure AD Privileged Identity Management, organizations can protect their resources with improved security features, and even keep an eye on what legitimate administrators are doing.

In this course, you’ll learn how to implement Azure AD Privileged Identity Management. We’ll start the course by touching on an overview of what Azure AD Privileged Identity Management is and what it offers. We will then work through the deployment of PIM and how it works with multi-factor authentication. As we work through some demos, you will learn how to enable PIM and how to navigate tasks in PIM.

We’ll then cover the activation of roles and the assignment of those roles, including permanent roles and just-in-time roles. We’ll also cover the concepts of updating and removing role assignments, reinforcing these concepts through demonstrations.

We’ll round out the course with supported management scenarios, configuring PIM management access, and how to process requests. 

Learning Objectives

  • Enable PIM
  • Activate a PIM role
  • Configure just-in-time resource access
  • Configure permanent access to resources
  • Configure PIM management access
  • Configure time-bound resource access
  • Create a Delegated Approver account
  • Process pending approval requests

Intended Audience

  • People who want to become Azure cloud architects
  • People who are preparing to take Microsoft’s AZ-101 exam


  • Moderate knowledge of Azure Active Directory

 To see the full range of Microsoft Azure Content, visit the Azure Training Library.


Until now, a user would typically be assigned to an admin role through the Azure portal, some other Microsoft Online Service portal, or through Azure AD PowerShell cmdlets. Doing so would make the user a permanent administrator, which in turn meant that the user was always active in the assigned admin role. With Azure AD Privileged Identity Management comes the idea of the Eligible admin. An Eligible admin is a user that needs some sort of privileged or admin-level access every now and again, but not all the time. In this scenario, the privileged role is inactive until the user needs the privileged access that it provides. The user then completes an activation process to become an admin for a preconfigured time frame. Many organizations prefer the strategy of granting admin access because it reduces or even eliminates permanent admin access to privileged roles. Some key terms to understand are eligible role user and delegated approver. An eligible role user is a user that's been assigned as eligible to an Azure AD role. This requires the role to be activated when needed. 

A delegated approver is a user, or maybe even multiple users or groups, within Azure AD who is responsible for approving requests to activate such roles. An example of these roles in action would be a case where John is designated as a privileged role administrator. In such a case, John would have the ability to enable approval for specific roles, and he could also specify approver users and groups to approve requests. John would also be able to view the request and approval history for all privileged roles. In another scenario, Jen might be a designated approver. As a designated approver, Jen would be able to view pending requests and approvals, and she would also be able to approve and reject role elevation requests. She would also be responsible for providing justification for approvals and rejections. An example of an eligible role user would be Dave. As an eligible role user, Dave would be able to request activation of a role that requires approval. After the role activation is approved by Jen, he would then be able to complete his tasks in Azure AD. As you can probably tell by now, Privileged Identity Management offers streamlined, yet granular management scenario support.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.