hands-on lab

Managing Access in Azure Using Privileged Identity Management

Up to 1h 15m
This lab is currently under maintenance. You can start the lab, but some instructions and screenshots may be inaccurate. We are actively working to resolve this issue and we apologize for any inconvenience.

Microsoft has currently disabled new registrations for the MS 365 Dev program. For the time being, please treat the lab as read-only or bring your own MS 365 account. Our team is currently working on an update, thank you for your understanding.

Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.


Azure AD Privileged Identity Management (PIM) lets admins manage and monitor the access in Azure, either to Azure AD roles or Azure resources. PIM gives just-in-time access to Azure AD roles and Azure resources that is also time-bound and approval based, which helps to mitigate risks of malicious actors gaining privileged access to Azure items and potentially causing harm to the organization. This also helps to mitigate the risk of excessive and unnecessary access permissions to resources. 

In this lab, you will assign a privileged role to a user and activate that role using PIM.


  • Due to this lab requiring the creation of a Microsoft 365 organization with an Admin Center, if you don't already have one you will need to provide a mobile phone number to pass the account creation process.
  • This lab requires signing in with a test user account. You may have to deal with additional security prompts by Azure AD. In which case, you may wish to skip these requests or disable the underlying feature for learning purposes. Cloud Academy does not endorse or recommend disabling any security measure in a production environment.

Learning Objectives

Upon completion of this lab, you will be able to:

  • Assign an eligible Azure AD role to a user
  • Activate the user's eligible role

Intended Audience

  • Candidates who are studying for the SC-900 (Security, Compliance, and Identity Fundamentals) Certification Exam


  • Familiarity with Azure AD
  • An understanding of identity management concepts



April 5th, 2023 - Updated instructions to clarify developer account sign up

Environment before

Environment after

About the author

Adil Islam, opens in a new tab
Cloud Labs Developer
Learning paths

Adil is a Microsoft Certified Trainer, former Azure Engineer, and loves all things Azure. He is a certified Azure Administrator and Azure DevOps Expert and has worked for some of the biggest MSPs in the world (Cognizant, New Signature, CoreAzure). He loves to combine his two passions: cloud and teaching.

Adil specializes in Azure Infrastructure services and has a curiosity for new, in-preview services from Azure, getting his hands familiar with the content before most of the world does. Outside of work, Adil helps run a growing community of IT professionals looking to break into the cloud and regularly runs workshops and webinars.

Covered topics

Lab steps

Setting Up A Microsoft 365 Developer Account
Assigning an Microsoft Entra Role to a User
Activating a Role Using Privileged Identity Management