How to create Azure PIM?

Question

Hi,

I want to know the details about the azure PIM ? what are the question and answer we have to know before set up the azure PIM in new tenant.

and how to setup this?

Thanks!

Answer 1

Hi @Khushi ,

Thank you for posting this in Microsoft Q&A.

I understand you want to know the details about the azure PIM and how to set up Azure PIM in new tenant.

Azure PIM (Privileged Identity Management) is a service that helps you manage, control, and monitor access to resources within your organization. These resources include resources in Microsoft Entra ID, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.

Organizations to minimize the number of people who have access to secure information or resources.

Here are some of the key features of Privileged Identity Management:

• You can provide just-in-time access to resources, such as Microsoft Entra roles, Azure roles, and groups.
• You can require approval, justification, and multifactor authentication to activate privileged roles.
• You can conduct access reviews to ensure users still need their roles.
• You can download audit history for internal or external audit.

To use PIM, your directory must have one of the following paid or trial licenses:

• Azure AD Premium P2
• Enterprise Mobility + Security (EMS) E5
• Microsoft 365 M5
• You must have the Global Administrator or Privileged Role Administrator role.

To set up PIM in your tenant follow below steps:

1.Sign into the Microsoft Entra admin center as at least a Privileged Role Administrator.

2.Browse to Identity governance > Privileged Identity Management.

3.Click to open the PIM QuickStart. In the list, click Consent to PIM > Yes to consent to the PIM service.

After Activate PIM you can see as below

• My roles - Displays a list of eligible and active roles assigned to you.
• My Requests - Displays your pending requests to activate eligible role assignments.
• Approve requests - Displays a list of requests to activate eligible roles by users in your directory that you are designated to approve.
• Review access - Lists active access reviews you are assigned to complete, whether you're reviewing access for yourself or someone else.
• Microsoft Entra roles - Displays your info and you can assign eligibility to users.

Here I'm assign UserAdminstrator role to user.

1.Go to Privileged Identity Management -> Click on Manage

2.It will redirect to roles -> Click Add Assignment -.> select role as User administrator -.> select members.

3. Click Next,

Select between Eligible and Active:

• Eligible means the role is assigned with PIM, and the user must enable the role before use.
• Active means the role is assigned and active (without enabling it via PIM).

Also, you must select the maximum allowed eligible/active duration:

• Permanent means it’s permanently eligible/active (until an admin disables it again).
• Assignment starts/ends mean the assignment will start and end at the designated time.

If you have assigned as Eligible, user should activate the role before use.

1.User Log in to the Microsoft Entra and go to the PIM management blade.
2.Select My roles, select Eligible assignments, identify the role user want to activate, and click Activate.

If you have assigned as Active, user no need to activate the role before use.

For your reference: What is PIM

https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-getting-started

Hopes above information helps. Do let us know if you any further queries.

Thanks,

Navya.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.