As the Conditional Access series wraps up, we’re diving headfirst into a new adventure in Identity Management! Join me as I explore the ins and outs of Microsoft Identity Governance, starting with Privileged Identity Management (PIM).
Privileged Access Management (PAM), is an umbrella term used for monitoring, managing and protecting access across our environment. PAM solutions include a bunch of different solutions such as lifecycle management, Multifactor Authentication, Just-In-Time Access, Just-Enough-Administration and todays focus, Privileged Identity Management (PIM).
Microsoft have multiple solutions that we can take advantage of on our PAM journey, this includes Microsoft Entra, Microsoft Sentinel, and Microsoft Entra ID Governance.
Over the course of this series, I'll be going through the different capabilities and features that we can utilize on our path.
Today I'll be focusing on the Microsoft Entra ID Governance solution Privileged Identity Management (PIM).
Without further ado, let's dive in!
Privileged Access Management (PAM) is a broad term covering various methods to monitor, manage, and protect access across our environment. PAM solutions includes, but are not limited to, lifecycle management, Multi-Factor Authentication (MFA), Just-In-Time (JIT) Access, Just-Enough-Administration (JEA), and today’s focus—Privileged Identity Management (PIM).
Microsoft offers multiple solutions to support our PAM journey, including Microsoft Entra, Microsoft Sentinel, and Microsoft Entra ID Governance. In this series, I’ll delve into the features and capabilities that help us bolster our identity security.
Without further ado, let’s jump into Microsoft Entra ID Governance’s PIM solution!
Table of content
What is Privileged Identity Management?
PIM provides time- & approval-based, privileged access to our users, particularly our Administrators.
It lets admins elevate their access to Entra ID roles, group member roles, or Azure Role Based Access Control (RBAC) roles.
Configurable Settings
For each role, we're able to configure the following 3 settings, at the role level:
Activation
In PIM, activation settings determine the specific requirements and permissions needed for role activation. These options allow you to fine-tune role access to meet security and operational needs.
Activation Maximum Duration (hours) – Set how long a role activation lasts. By default, this is 8 hours, but you can adjust it based on your security needs.
On Activation, require – Specify any extra security checks needed for activation:
Require Justification – Requires the user to provide a reason for role activation. Enabled by default.
Require Ticket Information – Adds two fields for users to enter a ticket system and ticket number when activating the role. This information isn’t linked to any ticketing system but can help track requests. Disabled by default.
Require Approval – Sets an approval flow for role activation. Approvers can be specific users or groups. Disabled by default.
Assignment
Assignment settings control who has long-term or “eligible” access to a role and the specifics of their access permissions. Here’s what you can configure:
Allow Permanent Eligible Assignment – Determines if eligible assignments can be permanent. Enabled by default. If disabled, you can set an expiration timeframe for eligible assignments.
Allow Permanent Active Assignment – Allows permanent active assignments by default. When disabled, you can set an expiration timeframe for active assignments.
Require Azure MFA on Active Assignments – Requires MFA when assigning a role. Note that users who already have a valid MFA token won’t be prompted again. Disabled by default.
Require Justification on Active Assignments – Similar to the activation justification, but for active assignments. Enabled by default.
Notifications
Notifications help manage the flow of alerts and updates throughout the lifecycle of a PIM role, from assignment to activation.
For all notification types there's 3 different options available for configurations:
Default Recipients – By default, email notifications go to predefined recipients, but you can adjust this by enabling or disabling them. Enabled by default.
Additional Recipients – Add specific recipients for notifications beyond the default recipients. You can list multiple recipients by separating each email address with a semicolon. Not configured by default.
Critical Emails Only – Only sends emails when immediate action is required, for example, approvals for role extensions.
Additionally, Access Reviews provide an automated way to manage and review permissions within Microsoft Identity Governance. This feature helps ensure that access rights remain appropriate over time by enabling fully or semi-automated permission evaluations.
Access Reviews are a robust solution on their own, so I’ll be diving into them in detail in a future post. For now, just know that they’re another powerful tool you can leverage with PIM.
Why utilize Privileged Identity Management?
Overprivileged identities are a hacker’s dream. When users have more permissions than they truly need, attackers can exploit these permissions to achieve a range of malicious goals, from data theft to system destruction. Attackers often start by gaining initial access and then move laterally across systems, escalating privileges as they go. With the right permissions, they can target sensitive data, alter configurations, or disrupt operations—making robust access management a priority.
The urgency of managing privileged access is reinforced by the statistics. According to projections, the cost of cyberattacks will reach $10.5 trillion annually by 2025.
The average cost of a single data breach already stands at a whooping $4.88 million in 2024, making each breach an expensive reminder of what’s at stake!
The CrowdStrike Global Threat Report 2024 reveals a 110% increase in Cloud-Conscious Attacks.
These are sophisticated attacks where threat actors exploit cloud environments and specifically target identity-based and social engineering vulnerabilities. Such attacks often include:
Initial access through social engineering and different kinds of phishing attacks.
Lateral movement through an environment to acquire privileged identities.
Escalation and exploitation of these identities for high-value targets, typically sensitive data.
With such threats on the rise, strong access management solutions like PIM are essential to defending against these attacks.
Microsoft’s Take on the Overprivilege Problem
Microsoft’s research adds even more weight to this issue, revealing that only 2% of permissions assigned to users in 2023 were actively used.
This staggering statistic emphasizes the critical need for a more controlled and minimalistic approach to access rights. To address this, Microsoft recommends:
Removing unnecessary permissions – Eliminate all permissions that aren’t essential to the user’s role.
Use Just-in-Time (JIT) access to grant permissions only when needed and only for the minimum time required.
Managing privileged identities with Zero Trust – Apply least-privilege access and explicit verification principles, ensuring users only have the rights needed for their role and that elevated permissions are granted sparingly and temporarily.
PIM directly supports these goals, offering features that allow organizations to:
Minimize access by implementing temporary and just-in-time privileges.
Require justification, multi-factor authentication (MFA), and approvals for elevated permissions.
Regularly review access assignments with automated Access Reviews to ensure permissions align with current job requirements.
PIM as a Core Element in Zero Trust Strategy
By enforcing PIM, organizations can anchor their access management strategy in the three core Zero Trust principles:
Verify Explicitly – Taking advantage of enhanced Conditional Access policies that require additional authentication steps, such as Authentication Context policies, when users elevate to sensitive roles like Global Administrator or Azure RBAC Owner. This added verification helps secure the access pathway.
Use Least Privilege – Instead of assigning blanket roles like Global Administrator, PIM makes it possible to apply role- and task-based privileges. Administrators receive access only to the resources and actions they need, when they need it, which reduces the risk of overprivileged identities and limits the damage potential of compromised accounts.
Assume Breach – By requiring users to request elevation for highly privileged roles, PIM helps limit the duration and scope of elevated permissions. This reduces the window of opportunity for potential attackers, helping prevent data breaches, automated attacks, and unauthorized lateral movement.
In summary, PIM adds essential layers of control to privileged access management, decreasing the risk of overprivileged accounts, improving compliance, and enhancing the overall security posture against identity-based attacks.
As we navigate the increasingly complex technological landscape, PIM is a key ally in protecting our environments and upholding Zero Trust principles.
How to implement Privileged Identity Management?
PIM can be managed via the Entra or Azure portals, or programmatically with Powershell.
Microsoft Entra Portal
Entra is the go-to for all things identity. Accessing the Privileged Identity Management blade in Entra opens up management options, such as configuring activation and assignment settings for roles, monitoring activity, and creating assignments. Here’s a step-by-step guide:
Accessing PIM in Entra
Accessing the Priviliged Identity Management blade we are presented with different options. For our purpose today the Manage menu is our focus.
Choosing any of the options in the menu allows us to manage the respective assignments. A couple things to note for management:
For Group management, onboard the groups you want to manage.
For Azure, define the assignment scope you want to manage.
Choosing Entra Roles presents a detailed blade with access options:
As shown, the Overview Dashboard provides at-a-glance insights into your environment, showing active users, role activations, role assignments, alerts, and related PIM activities.
Configuring role-specific settings
From the Roles or Settings menu, you can customize role activation requirements, notification options, and assignment scopes.
This allows us to increase or decrease the requirements as well as scoping assignments and notifications, allowing per-role customization across Entra ID Roles, Azure RBAC Roles, and Group Member/Owner roles in PIM.
Creating an assignment
Creating Eligible or Active assignments is possible via the Assignments or Roles menus
Creating the assignment is the most critical step in setting up PIM. This is where you determine the actual assignments.
Based on the role’s configured settings, you have the flexibility to:
Assign Eligible or Active roles – Eligible roles allow users to request elevation when needed, while Active roles provides access without the need to elevate access.
Set assignment duration – Choose between temporary assignments with defined end dates or permanent roles.
Each assignment you create helps forming the foundation of a controlled and secure environment.
PIM User experience, approval based:
The roles assigned for this example requires approval before it becomes active, taking a look at this from the user end:
When a role requires approval before activation, the user submits a request and waits for approver confirmation. If approval isn’t required, the elevated role is assigned immediately, and the page refreshes. Users with multiple roles can activate them consecutively by selecting each role, closing the validation pop-up, and activating the next, only waiting for the full validation and activation on the last role.
PIM Approver experience:
Once the role activation request have been sent from the user, the approvers for the specified role gets an email, and will then be able to approve or deny via the portal:
Approvers receive an email notification for pending activation requests. Through the portal, they can approve or deny the request. Upon approval, the user’s assignment becomes active for the requested duration. Both activation and extension approvals are managed from a unified menu in the portal.
Microsoft Azure Portal
Before the introduction of unified portals like Entra, many of us managed PIM in the Azure portal. While it’s still possible to use Azure for PIM tasks, I highly recommend becoming familiar with Entra for its identity management focus!
Powershell
Though I'm a sucker for the portals, being able to handle assignments programmatically can be very helpful, especially when handling multiple assignments.
Using powershell with Microsoft Graph provides a very powerful and reliable way to handle assignments in a code based administrative environment, as such I've created a "small" script you're welcome to take advantage of.
This script can handle Users, Groups and Service Principals in a single call, for any of the 3 different PIM assignment types: Entra ID Roles, Group Memberships and Azure RBAC Roles.
I've included a few examples in the script as well.
Expanding the button below will reveal the script, though I highly recommend getting it from my github instead: Manage-PIMRoleAssignments
Although I’m all about the portals, sometimes nothing beats handling assignments programmatically—especially when you’re juggling multiple roles at once!
Using PowerShell with Microsoft Graph makes it easy and reliable to manage assignments in a code-based environment. To make things even simpler, I’ve put together a handy "little" script that does the heavy lifting for you.
This script can manage Users, Groups, and Service Principals in a single call, covering any of the three PIM assignment types: Entra ID Roles, Group Memberships, or Azure RBAC Roles. While it can handle any combination of identities for any one type at a time, you’ll need to run separate calls for each type if managing multiple assignment types.
I've made sure to include some examples in the help for the script, to help you get started!
Check out the full script on GitHub: Manage-PIMRoleAssignments
PIM Management Powershell script
Conclusion: Identity Governance - Unlocked!
And that wraps up the first chapter of our dive into Identity Governance!
Today, we explored the essentials of Privileged Identity Management and how it keeps privileged access secure and manageable. With features like just-in-time access, approval workflows, and visibility into elevated roles, PIM is an invaluable tool in building a Zero Trust strategy that safeguards our identities.
But this is only the beginning! By embracing identity governance, we’re creating a layered defense that stands strong against evolving threats. Each layer we add brings us closer to a comprehensive and resilient security posture—from defining privileged access to continuously reviewing permissions.
Stay tuned as we keep building out the tools and tactics that make up a solid identity governance framework. There’s plenty more to uncover on this journey, and each step strengthens our approach to Identity and Access Management!
And now, another bad joke for a quick laugh to close out our journey today:
What is a hacker’s favorite season?
Phishin' season! 😎
Keep following Cloudy With a Chance of Security for more updates on securing your identity landscape, and share this series with your peers as we continue building stronger access controls, one step at a time!