Azure AD PIM : discover resources - any downsides?

Marshall Hamilton 1 Reputation point

PIM isn't enabled by default, and per the following article resources must be discovered and brought under management:

The article states "once a management group or subscription is managed, it can't be unmanaged...".

Why do I have to go through this process of discovery and selecting resources to manage? Is there some downside to enabling PIM? I feel like if there wasn't a downside it would be enabled by default for all objects, and I wouldn't be reading warnings about how it can't be undone. For example, we'd like to enable PIM for the Tenant Root Management group. Is there some downside to doing that?

Thank you!

Microsoft Entra
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,336 Reputation points Microsoft Employee

    Hi @Marshall Hamilton ,

    The main downside I can think of is the licensing cost, as using Privileged Identity Management requires an Azure AD Premium P2 license. (The licensing requirements are outlined here.)

    Most other cons would be related to the time that it takes to onboard and educate users, configure role settings, and fulfill compliance standards to access resources. Users may find it inconvenient to perform MFA, provide justification to access resources, and receive JIT access rather than unfettered access. As is true with most security implementations, there is generally a tradeoff of some level of convenience. The safeguards offered by PIM are documented here.

    Granting tenant-wide permissions and enabling PIM at the tenant level is pretty common and there is documentation here for doing so.

    I actually found a related question on Reddit where different PIM users were discussing the pros and cons of the service, and you may find this helpful in your research even though the thread is a couple of years old.

    Let me know if this helps and if you have further questions!



    If this answer was helpful to you, please don't forget to "mark as answer" so that others in the community with similar questions can more easily find a solution.

    0 comments No comments