Configuring Azure AD Privileged Identity Management

Azure AD Privileged Identity Management (PIM) provides just in time admin access, by implementing (PIM), we can manage, control, and monitor access to the office 365 services. This includes access to resources in Azure AD, Azure resources, and other Microsoft Online Services like Office 365 or Microsoft Intune.

License Requirement: Azure AD Premium P2 or Enterprise Mobility + Security E5
Assign the license to each admin user account, Admin should have MFA setup.
Rights Requirement: Global Admin or Privileged Role Administrator

In this post, we will set up the PIM and then add eligible members to roles, which give the admin to activate the role on demand.

1 Step: Login to http://portal.azure.com and search for Privileged Identity Management, and give consent.


once your click consent, you will have to confirm the concent by clicking yes.


Sign up, Click Sign up to continue.


Step 2: Now let's adjust the number of hours a role will be activated upon activation, the default duration is 1 hour, the maximum value can be 72 hours.

Let's adjust it to 8 hours assuming one-time activation for the full business day.

to achieve this in PIM under "Manage" click on "Azure AD roles", and then again under "Manage" click on "Settings" and select "Roles" now select the role you wish to manage or select the "Default for all roles" to adjust duration for all roles.


Apart from that, we can adjust the time for the specific role individually, let's say we want "Global admin" role to be active only for 1 hour, so we can select the "Global Admin role" and adjust the activation hours for this role which will super seed the default role hours.

Next, let's Add member and make the admin eligible for their roles.

Step 3: Go to PIM and select Azure AD roles, and click "Members"



 and then click "Add Member".
 Now select the role and the admin user and click OK, at a time you can select only one role.



Repeat the same steps to add the additional roles to a member.

A role can be made permanent from the member properties, Permanent roles aren't required to activate, they are always on which is not a recommended setup.


 we can review the members from the member's section which shows their Assignment type.



An admin then can log in to Azure portal and can review their Eligible roles and activate the required role.


Duration can be adjusted from the maximum allowed hours as desired.


Most of the time admin would be able to access the assigned activate role immediately after the activation, but sometimes it doesn't work especially for Exchange online, I have found the workaround for the same which is deactivate and activate the role again.

This completes my post of setting up PIM for your organization and adding admin roles for members.



Comments