Petri Newsletter Sign-up
Tech Tuesday

Subscribe to Tech Tuesday, the latest insights from for IT Pros.

    See All Petri Newsletters

    What Is Azure AD Privileged Identity Management?

    Posted on by Russell Smith in Cloud Computing

    In today’s Ask the Admin, I’ll look at Azure Active Directory (AAD) Privileged Identity Management (PIM) and how it can help protect user identities in the cloud.



    Privileged Identity Management is available to AAD Premium P2 subscribers and allows organizations to better control what users are doing with privileged accounts. Just like in an on-premises Active Directory (AD) environment, the use of privileged domain accounts, such as Domain Admins and Enterprise Admins, should be kept to a minimum. To help facilitate that, Windows Server 2016 includes a new feature called Just-In-Time (JIT) administration, which allows users to be granted privileges on a temporary, time-limited basis.

    In AAD, Just-In-Time administration allows administrative privileges to be granted ‘on-demand’ to the directory and online services, such as Office 365 and Intune. Much of what Microsoft added to Windows Server 2016 was the result of features that were first appeared in Azure, so it should come as no surprise that JIT administration is also part of AAD. PIM also allows administrators to

    • See which AAD users are tenant administrators.
    • Run reports detailing changes and access attempts made by administrators.
    • Set up alerts for access to privileged roles.

    Eligibility and Activation

    When PIM is enabled for a tenant, users that occasionally need privileged access can be assigned the role of Eligible admin, and only when they complete ‘activation’ are their accounts granted elevated privileges for a set period. Users activate a role by logging in to the AAD management portal and start the activation process on the Privileged Identity Management panel.

    Each role supported by PIM accepts users that are either Permanent or Eligible members of the role. For instance, in the image below, you can see that users assigned the Global Administrator role have Permanent permission, others Eligible.

    Eligible and Permanent Azure Global Administrators (Image Credit: Microsoft)
    Eligible and Permanent Azure Global Administrators (Image Credit: Microsoft)

    Roles have activation settings that determine the maximum amount of time for activation, how admins are notified of the activation, whether users requesting activation should provide any additional information such as a request ticket ID, and whether multifactor authentication is required.

    Role Activity

    Administrators can view activity on the Audit history panel, where changes in privileged role assignment and activation history are recorded. Alternatively, access reviews can be configured, which requires an assigned person to review historical access data and determine who still requires privileged access.

    Azure AD Audit history (Image Credit: Russell Smith)
    Azure AD Audit history (Image Credit: Russell Smith)

    In this article, I explained what AAD Privileged Identity Management is and how it can be used to improve the security of your AAD tenant.


    Don't have a login but want to join the conversation? Sign up for a Petri Account


    Register for this Petri Webinar!

    Want to Make Your Backup Storage Unlimited & Ready for the Cloud? – Free Thurrott Premium Account with Webinar Registration!

    Tuesday, August 27, 2019 @ 1:00 pm EDT

    A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

    Register Now

    Sponsored By