Start using Privileged Identity Management

This article describes how to enable Privileged Identity Management (PIM) and get started using it.

Use Privileged Identity Management (PIM) to manage, control, and monitor access within your Azure Active Directory (Azure AD) organization. With PIM you can provide as-needed and just-in-time access to Azure resources, Azure AD resources, and other Microsoft online services like Microsoft 365 or Microsoft Intune.

Prerequisites

To use Privileged Identity Management, you must have one of the following licenses:

  • Azure AD Premium P2
  • Enterprise Mobility + Security (EMS) E5

For more information, see License requirements to use Privileged Identity Management.

Note

When a user who is active in a privileged role in an Azure AD organization with a Premium P2 license goes to Roles and administrators in Azure AD and selects a role (or even just visits Privileged Identity Management):

  • We automatically enable PIM for the organization
  • Their experience is now that they can either assign a "regular" role assignment or an eligible role assignment

When PIM is enabled it doesn't have any other effect on your organization that you need to worry about. It gives you additional assignment options such as active vs eligible with start and end time. PIM also enables you to define scope for role assignments using Administrative Units and custom roles. If you are a Global Administrator or Privileged Role Administrator, you might start getting a few additional emails like the PIM weekly digest. You might also see MS-PIM service principal in the audit log related to role assignment. This is an expected change that should have no effect on your workflow.

Prepare PIM for Azure AD roles

Here are the tasks we recommend for you to prepare Privileged Identity Management to manage Azure AD roles:

  1. Configure Azure AD role settings.
  2. Give eligible assignments.
  3. Allow eligible users to activate their Azure AD role just-in-time.

Prepare PIM for Azure roles

Here are the tasks we recommend for you to prepare Privileged Identity Management to manage Azure roles for a subscription:

  1. Discover Azure resources
  2. Configure Azure role settings.
  3. Give eligible assignments.
  4. Allow eligible users to activate their Azure roles just-in-time.

Once Privileged Identity Management is set up, you can learn your way around.

Navigation window in Privileged Identity Management showing Tasks and Manage options

Task + Manage Description
My roles Displays a list of eligible and active roles assigned to you. This is where you can activate any assigned eligible roles.
My requests Displays your pending requests to activate eligible role assignments.
Approve requests Displays a list of requests to activate eligible roles by users in your directory that you are designated to approve.
Review access Lists active access reviews you are assigned to complete, whether you're reviewing access for yourself or someone else.
Azure AD roles Displays a dashboard and settings for Privileged role administrators to manage Azure AD role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization.
Azure resources Displays a dashboard and settings for Privileged role administrators to manage Azure resource role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization.

Add a PIM tile to the dashboard

To make it easier to open Privileged Identity Management, add a PIM tile to your Azure portal dashboard.

  1. Sign in to the Azure portal.

  2. Select All services and find the Azure AD Privileged Identity Management service.

    Azure AD Privileged Identity Management in All services

  3. Select the Privileged Identity Management Quick start.

  4. Select Pin blade to dashboard to pin the Privileged Identity Management Quick start page to the dashboard.

    Pushpin icon to pin Privileged Identity Management page to dashboard

    On the Azure dashboard, you'll see a tile like this:

    Privileged Identity Management Quick start tile on dashboard

Next steps