Azure AD Privileged Identity Manager for Azure RBAC

Azure AD Privileged Identity Manager (PIM) is a security service that helps organizations manage, monitor and control access to sensitive, important resources in Azure, Azure AD, Microsoft Online Services such as Office 365 and Intune.

Why Organizations use Azure AD PIM?

It’s important for an organization to limit the people who can access organizations’ resources to secure important data. This will reduce the chance of conducting malicious actions by gain access to resources. However, users still need to perform administrative tasks in Azure, Office 365 and etc. With Azure AD PIM we can oversight and see what those users are doing with there administrative privileges.


Infrakloud organization is using Azure to host their applications to customers. They also use Office 365 and Intune for email and Mobile Device Management(MDM). Lidia Holloway is an administrator who manged Azure subscription and overall she is the owner of the subscription and has access to all services and resources.

Mike Green is a newly recruited administrator and he is responsible for managing the Virtual Machines inside the subscription. He has full access to Virtual Machine service and resources.

So let’s revisit the above two requirements, we can identify a few important facts as highlighted. So we can identify above users are privileged users and they can perform an administrative task that allows them to delete or create resources. Therefor above users are ideal candidates for Azure AD PIM. We can implement Azure AD PIM to elevate the permission when they need to perform those administrative tasks and after they complete it permission will revoke back from the user.

Lets see how we can accomplished above requirnments

If its the first time your going to use PIM please follow below documentations

Search for Privileged Identity Manager in the Azure portal. You can find the service as shown below.

In PIM blade under Mange click Azure Resources as below

If this is the first time then click discover resources and select the Azure subscription you wish to enable PIM.

Next under the Manage select Roles, then on the right side, we can see all the RBAC roles are available for PIM.

To full fill for our first requirement for Lidia as she is the owner for the Azure subscription he need have access to all services and resources. To give full access we have to select the Contributor role as below

Next after selecting the role we need to assign users to this role who has permissions to escalate privilege when requires. We can add users by clicking Add Members as below

Under new assignment in contributor, click select a member or group we need to select a user/group who wish to grant contributor access.

Next, we have to configure membership settings. In there we need to set up two settings, Assignment Type is the method we grant permission type. There are two options Active and Eligible.

If you select Active the permission is active from that moment till the assignment ends. If you select an Eligible user is eligible for the privileged permissions but he/she need to request or activate from the portal.

Under the second configuration, we need to specify when he/she are eligible or active the permission

After both are configured then we can add the user as a new assignment.

After adding completed we can see it as below under eligible roles.

Next I log as Lidia to Azure portal and we can identify that she doesn’t have subscription access.

Now let activate PIM for Linda by going the PIM service in Azure. In PIM console under my roles then under Azure Resources we can find Linda as an eligible user.

From eligible roles, she can activate the contributor permission for the allowed subscription

In the request process, we need to provide the reason for the activation of the role and time required to perform specific task

After activated, the request is forwarded for the administrator’s approval. As an administrator, you can find the requests in PIM console under Approve Requests.

Then Select Azure Resources

As an administrator you can see request for role activations. Select the request and review the activation reason and approved the resource.

After the approved process succeeded Linda can see the role is activated. Now she can perform her tasks. So after the task completed she can deactivate the role manually from the console or when the role end-time role permissions are revoked automatically.