Start using Privileged Identity Management

With Privileged Identity Management (PIM), you can manage, control, and monitor access within your Azure Active Directory (Azure AD) organization. This scope includes access to Azure resources, Azure AD, and other Microsoft online services like Office 365 or Microsoft Intune.

This article describes how to enable and get started using Privileged Identity Management.

Prerequisites

To use Privileged Identity Management, you must have one of the following licenses:

  • Azure AD Premium P2
  • Enterprise Mobility + Security (EMS) E5

For more information, see License requirements to use Privileged Identity Management.

First person to use PIM

If you're the first person to use Privileged Identity Management in your directory, you are automatically assigned the Security Administrator and Privileged Role Administrator roles in the directory. Only privileged role administrators can manage Azure AD role assignments of users. In addition, you may choose to run the security wizard that walks you through the initial discovery and assignment experience.

Enable PIM

To start using Privileged Identity Management in your directory, you must first enable Privileged Identity Management.

  1. Sign in to the Azure portal as a Global Administrator of your directory.

    You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a Microsoft account (for example, @outlook.com), to enable Privileged Identity Management for a directory.

  2. Click All services and find the Azure AD Privileged Identity Management service.

    Azure AD Privileged Identity Management in All services

  3. Click to open the Privileged Identity Management Quickstart.

  4. In the list, click Consent to PIM.

    Consent to Privileged Identity Management to enable Privileged Identity Management

  5. Click Verify my identity to verify your identity with Azure MFA. You'll be asked to pick an account.

    Pick an account window to verify your identity

  6. If more information is required for verification, you'll be guided through the process. For more information, see Get help with two-step verification.

    More information required window if your organization needs more information

    For example, you might be asked to provide phone verification.

    Additional security verification page asking how to contact you

  7. Once you have completed the verification process, click the Consent button.

  8. In the message that appears, click Yes to consent to the Privileged Identity Management service.

    Consent to Privileged Identity Management message to complete consent process

Sign up PIM for Azure AD roles

Once you have enabled Privileged Identity Management for your directory, you'll need to sign up Privileged Identity Management to manage Azure AD roles.

  1. Open Azure AD Privileged Identity Management.

  2. Click Azure AD roles.

    Sign up Privileged Identity Management for Azure AD roles

  3. Click Sign up.

  4. In the message that appears, click Yes to sign up Privileged Identity Management to manage Azure AD roles.

    Sign up Privileged Identity Management for Azure AD roles message

    When sign up completes, the Azure AD options will be enabled. You might need to refresh the portal.

    For information about how to discover and select the Azure resources to protect with Privileged Identity Management, see Discover Azure resources to manage in Privileged Identity Management.

Once Privileged Identity Management is set up, you can start your identity management tasks.

Navigation window in Privileged Identity Management showing Tasks and Manage options

Task + Manage Description
My roles Displays a list of eligible and active roles assigned to you. This is where you can activate any assigned eligible roles.
My requests Displays your pending requests to activate eligible role assignments.
Approve requests Displays a list of requests to activate eligible roles by users in your directory that you are designated to approve.
Review access Lists active access reviews you are assigned to complete, whether you're reviewing access for yourself or someone else.
Azure AD roles Displays a dashboard and settings for privileged role administrators to manage Azure AD role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant.
Azure resources Displays a dashboard and settings for privileged role administrators to manage Azure resource role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant.

Add a PIM tile to the dashboard

To make it easier to open Privileged Identity Management, you should add a Privileged Identity Management tile to your Azure portal dashboard.

  1. Sign in to the Azure portal.

  2. Click All services and find the Azure AD Privileged Identity Management service.

    Azure AD Privileged Identity Management in All services

  3. Click to open the Privileged Identity Management Quickstart.

  4. Check Pin blade to dashboard to pin the Privileged Identity Management Quickstart blade to the dashboard.

    Pushpin icon to pin Privileged Identity Management blade to dashboard

    On the Azure dashboard, you'll see a tile like this:

    Privileged Identity Management Quickstart tile on dashboard

Next steps