Privileged Identity Management (PIM)
Status: Scaffold — content in progress
Privileged Identity Management (PIM) is Entra ID's just-in-time (JIT) privilege management system. It requires users to activate a privileged role rather than holding it permanently.
PIM Role States
| State | Description |
|---|
| Eligible | User can activate the role when needed |
| Active | Role is currently active (time-limited) |
| Permanent | Role is always active (legacy, should be avoided) |
Activation Flow
- User requests role activation (with reason, duration)
- Optional: MFA required
- Optional: Approval required from designated approver
- Role activates for configured time (e.g., 1 hour, 8 hours)
- Role auto-deactivates after duration
PIM Attack Scenarios
| Scenario | Attack |
|---|
| Global Admin is eligible, not permanent | Compromise user account + trigger activation (no approval required) |
| Weak approval workflow | Social engineer approver |
| PIM Alert bypass | Use alternative path to gain privilege without PIM (direct role assignment via API) |
| PIM role assignment via compromised API | Use service principal with permissions to assign roles |
PIM Telemetry
| Log | Event |
|---|
| Entra Audit Log | Role activation, assignment changes |
| Sign-in log | MFA used during PIM activation |
| Alert emails | Anomalous PIM activation patterns |
Cross-Links