Examining Privileged Identity Measurement
Start course

This course explores the suite of tools available in Microsoft Endpoint Manager for establishing and maintaining security posture in an organization. These include tools like Microsoft Intune, used for enrolling devices as well as creating and enforcing device compliance, and Microsoft Defender, used for implementing device antivirus and malware defense tools. This course will also review the activities involved in reducing attack surfaces in an organization that bad actors could use to penetrate and expose sensitive data. This sensitive data is protected through the implementation of attack surface reduction rules which are deployed through careful auditing and testing to prevent any loss of productivity. This course will also touch on the security baselines made available to organizations wishing to enact a more granular security posture and have access to tools like secure score for evaluating the effectiveness of these efforts against known best practices.  

Learning Objectives

  • Create a compliance policy 
  • Monitor enrolled devices
  • Setup surface attack reduction rules
  • Deploy surface attack reduction rules
  • Review security baselines
  • Examine Microsoft secure score

Intended Audience

This course is designed for individuals who are responsible for setting up and monitoring device compliance and security in Microsoft 365 as well as those pursuing Microsoft certifications.


To get the most from this course, you should have some familiarity and experience with the Microsoft 365 security suite of tools including Microsoft Endpoint Manager.  


Examine Privileged Identity Management. Identity management is the process of ensuring users in our organization have just the right privileges to complete the task they need to accomplish. The goal of Privileged Identity Management or PIM is to avoid assigning excess privileges to users. Failure to do so may lead to the exploitation of privileges, resulting in users who can do tasks that they otherwise shouldn't be able to. Privileged Identity Management is an Azure Active Directory service that enables us to manage, control, and monitor access to important resources in our organization. These include resources such as Azure Active Directory, Azure, Microsoft 365, and Microsoft Intune.

Some of the key features of PIM include: providing just-in-time privileged access to Azure Active Directory and Azure resources; assigning time-bound access to resources by using start and end dates; requiring approval to activate privileged roles; enforcing Azure Active Directory Multi-factor Authentication to activate any role; using justification to understand why users want to activate a role; getting notifications when privileged roles are activated; conducting access reviews to ensure that users still need roles; and downloading an audit history for an internal or external audit.

To set up PIM, we must complete the following steps. First we have to identify and select the Azure resources we wish to protect with PIM. There's no limit to how many can be selected here, but it should be critical production resources. Next we grant access to other personnel to manage PIM by assigning them as a Privileged Role Administrator. Last we need to elevate access for a global administrator which allows them to view all resources and assign access to any subscription or management group in the directory. To implement PIM, we first must identify the roles that we wish to protect with this feature and then assign eligible users to these roles. When one of those users needs to use their privileged role, they activate the role in Privileged Identity Management. As part of this activation, users may be required to use Multi-factor Authentication, request approval, or provide a business justification.

Once the role is active, the user will be able to perform the necessary actions and the role will remain active for a pre-configured period of time. At the end of that time, the access and role are returned to a dormant state. Privileged Access Management or PAM allows granular access control over privileged admin tasks in Microsoft 365. It can help protect our organization from breaches that might use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. By enabling PAM in Microsoft 365, organizations can operate with zero standing privileges. This design provides a layer of defense against vulnerabilities arising because of such standing administrative access.

About the Author

Steve is an experienced Solutions Architect with over 10 years of experience serving customers in the data and data engineering space. He has a proven track record of delivering solutions across a broad range of business areas that increase overall satisfaction and retention. He has worked across many industries, both public and private, and found many ways to drive the use of data and business intelligence tools to achieve business objectives. He is a persuasive communicator, presenter, and quite effective at building productive working relationships across all levels in the organization based on collegiality, transparency, and trust.