learn.microsoft.com
Open in
urlscan Pro
2600:1408:c400:1687::3544
Public Scan
Submitted URL: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-identity-management-configure
Effective URL: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Submission: On October 18 via manual from US — Scanned from US
Effective URL: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
Submission: On October 18 via manual from US — Scanned from US
Form analysis 3 forms found in the DOM
Name: nav-bar-search-form — GET /en-us/search/
<form class="nav-bar-search-form" method="GET" name="nav-bar-search-form" role="search" id="nav-bar-search-form" aria-label="Search" action="/en-us/search/">
<div class="autocomplete" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-search-input" data-test-id="site-search-input" class="autocomplete-input input input-sm
" type="search" name="terms" aria-expanded="false" aria-owns="ax-116-listbox" aria-controls="ax-116-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-search-input-description" placeholder="Search" pattern=".*">
<span aria-hidden="true" class="icon is-small is-left" hidden="">
<span class="has-text-primary docon docon-"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-search-input-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-116-listbox" data-test-id="site-search-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>Name: nav-bar-search-form — GET /en-us/search/
<form class="nav-bar-search-form" method="GET" name="nav-bar-search-form" role="search" id="nav-bar-search-form-desktop" aria-label="Search" action="/en-us/search/">
<div class="autocomplete" data-bi-name="autocomplete"><!---->
<div class="field-body control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-search-input-desktop" data-test-id="site-search-input-desktop" class="autocomplete-input input input-sm
control has-icons-left
" type="search" name="terms" aria-expanded="false" aria-owns="ax-117-listbox" aria-controls="ax-117-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-search-input-desktop-description" placeholder="Search"
pattern=".*">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-search"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-search-input-desktop-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-117-listbox" data-test-id="site-search-input-desktop-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>javascript:
<form action="javascript:" role="search" aria-label="Search" class="margin-bottom-xxs"><label class="visually-hidden" for="ax-129">Search</label>
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-129" data-test-id="ax-129" class="autocomplete-input input input-sm
control has-icons-left
width-full" type="text" aria-expanded="false" aria-owns="ax-130-listbox" aria-controls="ax-130-listbox" aria-activedescendant="" aria-describedby="ms--ax-129-description" placeholder="Filter by title" pattern=".*">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-filter-settings"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--ax-129-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-130-listbox" data-test-id="ax-129-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
</form>Text Content
Skip to main content
MICROSOFT IGNITE
Nov 14-17, 2023
Join us Nov 14-17, 2023 to explore the latest innovations, learn from experts,
level up your skillset, and expand your network.
Register
Dismiss alert
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.
Download Microsoft Edge More info about Internet Explorer and Microsoft Edge
Documentation
Global navigation
* Learn
* Documentation
* Training
* Credentials
* Q&A
* Code Samples
* Assessments
* Shows
* More
* Documentation
* Training
* Credentials
* Q&A
* Code Samples
* Assessments
* Shows
Suggestions will filter as you type
Suggestions will filter as you type
Search
Sign in
* Profile
* Settings
Sign out
Azure
* Product documentation
* Compute
* Networking
* Storage
* Web
* Mobile
* Containers
* Databases
* All products
* Architecture
* Get started
* Reference architectures
* Cloud Adoption Framework for Azure
* Azure Well-Architected Framework
* Design patterns
* Assessments
* Learn Azure
* Self-paced learning paths
* Pluralsight
* Instructor-led courses
* Develop
* Python
* .NET
* JavaScript
* Java
* Go
* Troubleshooting
* Resources
* Pricing
* Contact sales
* Videos
* Webinars
* Updates
* White papers
* Blog
* Support
* More
* Product documentation
* Compute
* Networking
* Storage
* Web
* Mobile
* Containers
* Databases
* All products
* Architecture
* Get started
* Reference architectures
* Cloud Adoption Framework for Azure
* Azure Well-Architected Framework
* Design patterns
* Assessments
* Learn Azure
* Self-paced learning paths
* Pluralsight
* Instructor-led courses
* Develop
* Python
* .NET
* JavaScript
* Java
* Go
* Troubleshooting
* Resources
* Pricing
* Contact sales
* Videos
* Webinars
* Updates
* White papers
* Blog
* Support
1. Portal
2. Free account
Table of contents Exit focus mode
Search
Suggestions will filter as you type
* Privileged Identity Management documentation
* Overview
* What is Microsoft Entra PIM?
* Concepts
* How-to guides
* Deploy PIM
* Start using PIM
* Bring under management
* Assign
* Activate
* Approve
* Extend or renew
* Set role settings
* Set up alerts
* Audits
* Review access
* Discovery & Insights for Microsoft Entra roles
* Elevate access to manage Azure subscriptions
* Troubleshoot resource access denied
* Reference
Download PDF
1. Learn
2. Azure
3. Active Directory
4. Privileged Identity Management
1. Learn
2. Azure
3. Active Directory
4. Privileged Identity Management
Read in English Add
Table of contents Read in English Add Edit Print
Twitter LinkedIn Facebook Email
Table of contents
WHAT IS MICROSOFT ENTRA PRIVILEGED IDENTITY MANAGEMENT?
* Article
* 09/21/2023
* 13 contributors
Feedback
IN THIS ARTICLE
1. Reasons to use
2. License requirements
3. What does it do?
4. What can I do with it?
5. Who can do what?
6. Terminology
7. Role assignment overview
8. Scenarios
9. Managing privileged access Microsoft Entra groups (preview)
10. Invite guest users and assign Azure resource roles in Privileged Identity
Management
11. Next steps
Show 7 more
Privileged Identity Management (PIM) is a service in Microsoft Entra ID that
enables you to manage, control, and monitor access to important resources in
your organization. These resources include resources in Microsoft Entra ID,
Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft
Intune. The following video explains important PIM concepts and features.
REASONS TO USE
Organizations want to minimize the number of people who have access to secure
information or resources, because that reduces the chance of
* a malicious actor getting access
* an authorized user inadvertently impacting a sensitive resource
However, users still need to carry out privileged operations in Microsoft Entra
ID, Azure, Microsoft 365, or SaaS apps. Organizations can give users
just-in-time privileged access to Azure and Microsoft Entra resources and can
oversee what those users are doing with their privileged access.
LICENSE REQUIREMENTS
Using Privileged Identity Management requires licenses. For more information on
licensing, see Microsoft Entra ID Governance licensing fundamentals .
WHAT DOES IT DO?
Privileged Identity Management provides time-based and approval-based role
activation to mitigate the risks of excessive, unnecessary, or misused access
permissions on resources that you care about. Here are some of the key features
of Privileged Identity Management:
* Provide just-in-time privileged access to Microsoft Entra ID and Azure
resources
* Assign time-bound access to resources using start and end dates
* Require approval to activate privileged roles
* Enforce multi-factor authentication to activate any role
* Use justification to understand why users activate
* Get notifications when privileged roles are activated
* Conduct access reviews to ensure users still need roles
* Download audit history for internal or external audit
* Prevents removal of the last active Global Administrator and Privileged Role
Administrator role assignments
WHAT CAN I DO WITH IT?
Once you set up Privileged Identity Management, you'll see Tasks, Manage, and
Activity options in the left navigation menu. As an administrator, you can
choose between options such as managing Microsoft Entra roles, managing Azure
resource roles, or PIM for Groups. When you choose what you want to manage, you
see the appropriate set of options for that option.
WHO CAN DO WHAT?
For Microsoft Entra roles in Privileged Identity Management, only a user who is
in the Privileged Role Administrator or Global Administrator role can manage
assignments for other administrators. Global Administrators, Security
Administrators, Global Readers, and Security Readers can also view assignments
to Microsoft Entra roles in Privileged Identity Management.
For Azure resource roles in Privileged Identity Management, only a subscription
administrator, a resource Owner, or a resource User Access administrator can
manage assignments for other administrators. Users who are Privileged Role
Administrators, Security Administrators, or Security Readers don't by default
have access to view assignments to Azure resource roles in Privileged Identity
Management.
TERMINOLOGY
To better understand Privileged Identity Management and its documentation, you
should review the following terms.
Term or concept Role assignment category Description eligible Type A role
assignment that requires a user to perform one or more actions to use the role.
If a user has been made eligible for a role, that means they can activate the
role when they need to perform privileged tasks. There's no difference in the
access given to someone with a permanent versus an eligible role assignment. The
only difference is that some people don't need that access all the time. active
Type A role assignment that doesn't require a user to perform any action to use
the role. Users assigned as active have the privileges assigned to the role.
activate The process of performing one or more actions to use a role that a user
is eligible for. Actions might include performing a multi-factor authentication
(MFA) check, providing a business justification, or requesting approval from
designated approvers. assigned State A user that has an active role assignment.
activated State A user that has an eligible role assignment, performed the
actions to activate the role, and is now active. Once activated, the user can
use the role for a preconfigured period of time before they need to activate
again. permanent eligible Duration A role assignment where a user is always
eligible to activate the role. permanent active Duration A role assignment where
a user can always use the role without performing any actions. time-bound
eligible Duration A role assignment where a user is eligible to activate the
role only within start and end dates. time-bound active Duration A role
assignment where a user can use the role only within start and end dates.
just-in-time (JIT) access A model in which users receive temporary permissions
to perform privileged tasks, which prevents malicious or unauthorized users from
gaining access after the permissions have expired. Access is granted only when
users need it. principle of least privilege access A recommended security
practice in which every user is provided with only the minimum privileges needed
to accomplish the tasks they're authorized to perform. This practice minimizes
the number of Global Administrators and instead uses specific administrator
roles for certain scenarios.
ROLE ASSIGNMENT OVERVIEW
The PIM role assignments give you a secure way to grant access to resources in
your organization. This section describes the assignment process. It includes
assign roles to members, activate assignments, approve or deny requests, extend
and renew assignments.
PIM keeps you informed by sending you and other participants email
notifications. These emails might also include links to relevant tasks, such
activating, approve or deny a request.
The following screenshot shows an email message sent by PIM. The email informs
Patti that Alex updated a role assignment for Emily.
ASSIGN
The assignment process starts by assigning roles to members. To grant access to
a resource, the administrator assigns roles to users, groups, service
principals, or managed identities. The assignment includes the following data:
* The members or owners to assign the role.
* The scope of the assignment. The scope limits the assigned role to a
particular set of resources.
* The type of the assignment
* Eligible assignments require the member of the role to perform an action to
use the role. Actions might include activation, or requesting approval from
designated approvers.
* Active assignments don't require the member to perform any action to use
the role. Members assigned as active have the privileges assigned to the
role.
* The duration of the assignment, using start and end dates or permanent. For
eligible assignments, the members can activate or requesting approval during
the start and end dates. For active assignments, the members can use the
assign role during this period of time.
The following screenshot shows how administrator assigns a role to members.
For more information, check out the following articles: Assign Microsoft Entra
roles, Assign Azure resource roles, and Assign eligibility for a PIM for Groups
ACTIVATE
If users have been made eligible for a role, then they must activate the role
assignment before using the role. To activate the role, users select specific
activation duration within the maximum (configured by administrators), and the
reason for the activation request.
The following screenshot shows how members activate their role to a limited
time.
If the role requires approval to activate, a notification appears in the upper
right corner of the user's browser informing them the request is pending
approval. If an approval isn't required, the member can start using the role.
For more information, check out the following articles: Activate Microsoft Entra
roles, Activate my Azure resource roles, and Activate my PIM for Groups roles
APPROVE OR DENY
Delegated approvers receive email notifications when a role request is pending
their approval. Approvers can view, approve or deny these pending requests in
PIM. After the request has been approved, the member can start using the role.
For example, if a user or a group was assigned with Contribution role to a
resource group, they are able to manage that particular resource group.
For more information, check out the following articles: Approve or deny requests
for Microsoft Entra roles, Approve or deny requests for Azure resource roles,
and Approve activation requests for PIM for Groups
EXTEND AND RENEW ASSIGNMENTS
After administrators set up time-bound owner or member assignments, the first
question you might ask is what happens if an assignment expires? In this new
version, we provide two options for this scenario:
* Extend – When a role assignment nears expiration, the user can use Privileged
Identity Management to request an extension for the role assignment
* Renew – When a role assignment has already expired, the user can use
Privileged Identity Management to request a renewal for the role assignment
Both user-initiated actions require an approval from a Global Administrator or
Privileged Role Administrator. Admins don't need to be in the business of
managing assignment expirations. You can just wait for the extension or renewal
requests to arrive for simple approval or denial.
For more information, check out the following articles: Extend or renew
Microsoft Entra role assignments, Extend or renew Azure resource role
assignments, and Extend or renew PIM for Groups assignments
SCENARIOS
Privileged Identity Management supports the following scenarios:
PRIVILEGED ROLE ADMINISTRATOR PERMISSIONS
* Enable approval for specific roles
* Specify approver users or groups to approve requests
* View request and approval history for all privileged roles
APPROVER PERMISSIONS
* View pending approvals (requests)
* Approve or reject requests for role elevation (single and bulk)
* Provide justification for my approval or rejection
ELIGIBLE ROLE USER PERMISSIONS
* Request activation of a role that requires approval
* View the status of your request to activate
* Complete your task in Microsoft Entra ID if activation was approved
MANAGING PRIVILEGED ACCESS MICROSOFT ENTRA GROUPS (PREVIEW)
In Privileged Identity Management (PIM), you can now assign eligibility for
membership or ownership of PIM for Groups. Starting with this preview, you can
assign Microsoft Entra built-in roles to cloud groups and use PIM to manage
group member and owner eligibility and activation. For more information about
role-assignable groups in Microsoft Entra ID, see Use Microsoft Entra groups to
manage role assignments.
Important
To assign a PIM for Groups to a role for administrative access to Exchange,
Security & Compliance Center, or SharePoint, use the Azure portal Roles and
Administrators experience and not in the PIM for Groups experience to make the
user or group eligible for activation into the group.
DIFFERENT JUST-IN-TIME POLICIES FOR EACH GROUP
Some organizations use tools like Microsoft Entra business-to-business (B2B)
collaboration to invite their partners as guests to their Microsoft Entra
organization. Instead of a single just-in-time policy for all assignments to a
privileged role, you can create two different PIM for Groups with their own
policies. You can enforce less strict requirements for your trusted employees,
and stricter requirements like approval workflow for your partners when they
request activation into their assigned group.
ACTIVATE MULTIPLE ROLE ASSIGNMENTS IN ONE REQUEST
With the PIM for Groups preview, you can give workload-specific administrators
quick access to multiple roles with a single just-in-time request. For example,
your Tier 3 Office Admins might need just-in-time access to the Exchange Admin,
Office Apps Admin, Teams Admin, and Search Admin roles to thoroughly investigate
incidents daily. Before today it would require four consecutive requests, which
are a process that takes some time. Instead, you can create a role assignable
group called “Tier 3 Office Admins”, assign it to each of the four roles
previously mentioned (or any Microsoft Entra built-in roles) and enable it for
Privileged Access in the group’s Activity section. Once enabled for privileged
access, you can configure the just-in-time settings for members of the group and
assign your admins and owners as eligible. When an admin elevates into the
group, they become members of all four Microsoft Entra roles.
INVITE GUEST USERS AND ASSIGN AZURE RESOURCE ROLES IN PRIVILEGED IDENTITY
MANAGEMENT
Microsoft Entra guest users are part of the business-to-business (B2B)
collaboration capabilities within Microsoft Entra ID so that you can manage
external guest users and vendors as guests in Microsoft Entra ID. For example,
you can use these Privileged Identity Management features for Azure identity
tasks with guests such as assigning access to specific Azure resources,
specifying assignment duration and end date, or requiring two-step verification
on active assignment or activation. For more information on how to invite a
guest to your organization and manage their access, see Add B2B collaboration
users in the Azure portal.
WHEN WOULD YOU INVITE GUESTS?
Here are a couple examples of when you might invite guests to your organization:
* Allow an external self-employed vendor that only has an email account to
access your Azure resources for a project.
* Allow an external partner in a large organization that uses on-premises
Active Directory Federation Services to access your expense application.
* Allow support engineers not in your organization (such as Microsoft support)
to temporarily access your Azure resource to troubleshoot issues.
HOW DOES COLLABORATION USING B2B GUESTS WORK?
When you use B2B collaboration, you can invite an external user to your
organization as a guest. The guest can be managed as a user in your
organization, but a guest has to be authenticated in their home organization and
not in your Microsoft Entra organization. This means that if the guest no longer
has access to their home organization, they also lose access to your
organization. For example, if the guest leaves their organization, they
automatically lose access to any resources you shared with them in Microsoft
Entra ID without you having to do anything. For more information about B2B
collaboration, see What is guest user access in Microsoft Entra B2B?.
NEXT STEPS
* License requirements to use Privileged Identity Management
* Securing privileged access for hybrid and cloud deployments in Microsoft
Entra ID
* Deploy Privileged Identity Management
FEEDBACK
Submit and view feedback for
This product This page
View all page feedback
--------------------------------------------------------------------------------
ADDITIONAL RESOURCES
--------------------------------------------------------------------------------
Documentation
* Start using PIM - Microsoft Entra
Learn how to enable and get started using Privileged Identity Management
(PIM) in the Microsoft Entra admin center.
* License requirements to use Privileged Identity Management - Microsoft Entra
Describes the licensing requirements to use Azure AD Privileged Identity
Management (PIM).
* Plan a Privileged Identity Management deployment - Microsoft Entra
Learn how to deploy Privileged Identity Management (PIM) in your Microsoft
Entra organization.
* Configure Microsoft Entra role settings in PIM - Microsoft Entra
Learn how to configure Microsoft Entra role settings in Privileged Identity
Management (PIM).
* Approve or deny requests for Microsoft Entra roles in PIM - Microsoft Entra
Learn how to approve or deny requests for Microsoft Entra roles in Privileged
Identity Management (PIM).
* Microsoft Entra ID Governance - Microsoft Entra
Microsoft Entra ID Governance allows you to balance your organization's need
for security and employee productivity with the right processes and
visibility.
* Assign Microsoft Entra roles in PIM - Microsoft Entra
Learn how to assign Microsoft Entra roles in Privileged Identity Management
(PIM).
* Best practices for Microsoft Entra roles - Microsoft Entra
Best practices for using Microsoft Entra roles.
Show 5 more
--------------------------------------------------------------------------------
Training
Module
Plan and implement privileged access - Training
Ensuring that administrative roles are protected and managed to increase your
Azure solution security is a must. Explore how to use PIM to protect your data
and resources.
Certification
Microsoft Certified: Identity and Access Administrator Associate -
Certifications
The Microsoft identity and access administrator designs, implements, and
operates an organization’s identity and access management systems by using
Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra. They
configure and manage authentication and authorization of identities for users,
devices, Azure resources, and applications.
English (United States)
Theme
* Light
* Dark
* High contrast
*
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2023
ADDITIONAL RESOURCES
--------------------------------------------------------------------------------
Training
Module
Plan and implement privileged access - Training
Ensuring that administrative roles are protected and managed to increase your
Azure solution security is a must. Explore how to use PIM to protect your data
and resources.
Certification
Microsoft Certified: Identity and Access Administrator Associate -
Certifications
The Microsoft identity and access administrator designs, implements, and
operates an organization’s identity and access management systems by using
Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra. They
configure and manage authentication and authorization of identities for users,
devices, Azure resources, and applications.
--------------------------------------------------------------------------------
Documentation
* Start using PIM - Microsoft Entra
Learn how to enable and get started using Privileged Identity Management
(PIM) in the Microsoft Entra admin center.
* License requirements to use Privileged Identity Management - Microsoft Entra
Describes the licensing requirements to use Azure AD Privileged Identity
Management (PIM).
* Plan a Privileged Identity Management deployment - Microsoft Entra
Learn how to deploy Privileged Identity Management (PIM) in your Microsoft
Entra organization.
* Configure Microsoft Entra role settings in PIM - Microsoft Entra
Learn how to configure Microsoft Entra role settings in Privileged Identity
Management (PIM).
* Approve or deny requests for Microsoft Entra roles in PIM - Microsoft Entra
Learn how to approve or deny requests for Microsoft Entra roles in Privileged
Identity Management (PIM).
* Microsoft Entra ID Governance - Microsoft Entra
Microsoft Entra ID Governance allows you to balance your organization's need
for security and employee productivity with the right processes and
visibility.
* Assign Microsoft Entra roles in PIM - Microsoft Entra
Learn how to assign Microsoft Entra roles in Privileged Identity Management
(PIM).
* Best practices for Microsoft Entra roles - Microsoft Entra
Best practices for using Microsoft Entra roles.
Show 5 more
IN THIS ARTICLE
English (United States)
Theme
* Light
* Dark
* High contrast
*
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2023