Start using Privileged Identity Management
This article describes how to enable Privileged Identity Management (PIM) and get started using it.
Use Privileged Identity Management (PIM) to manage, control, and monitor access within your Azure Active Directory (Azure AD) organization. With PIM you can provide as-needed and just-in-time access to Azure resources, Azure AD resources, and other Microsoft online services like Microsoft 365 or Microsoft Intune.
To use Privileged Identity Management, you must have one of the following licenses:
- Azure AD Premium P2
- Enterprise Mobility + Security (EMS) E5
For more information, see License requirements to use Privileged Identity Management.
When a user who is active in a privileged role in an Azure AD organization with a Premium P2 license goes to Roles and administrators in Azure AD and selects a role (or even just visits Privileged Identity Management):
- We automatically enable PIM for the organization
- Their experience is now that they can either assign a "regular" role assignment or an eligible role assignment
When PIM is enabled it doesn't have any other effect on your organization that you need to worry about. It gives you additional assignment options such as active vs eligible with start and end time. PIM also enables you to define scope for role assignments using Administrative Units and custom roles. If you are a Global Administrator or Privileged Role Administrator, you might start getting a few additional emails like the PIM weekly digest. You might also see MS-PIM service principal in the audit log related to role assignment. This is an expected change that should have no effect on your workflow.
Prepare PIM for Azure AD roles
Here are the tasks we recommend for you to prepare Privileged Identity Management to manage Azure AD roles:
- Configure Azure AD role settings.
- Give eligible assignments.
- Allow eligible users to activate their Azure AD role just-in-time.
Prepare PIM for Azure roles
Here are the tasks we recommend for you to prepare Privileged Identity Management to manage Azure roles for a subscription:
- Discover Azure resources
- Configure Azure role settings.
- Give eligible assignments.
- Allow eligible users to activate their Azure roles just-in-time.
Navigate to your tasks
Once Privileged Identity Management is set up, you can learn your way around.
|Task + Manage||Description|
|My roles||Displays a list of eligible and active roles assigned to you. This is where you can activate any assigned eligible roles.|
|My requests||Displays your pending requests to activate eligible role assignments.|
|Approve requests||Displays a list of requests to activate eligible roles by users in your directory that you are designated to approve.|
|Review access||Lists active access reviews you are assigned to complete, whether you're reviewing access for yourself or someone else.|
|Azure AD roles||Displays a dashboard and settings for Privileged role administrators to manage Azure AD role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization.|
|Azure resources||Displays a dashboard and settings for Privileged role administrators to manage Azure resource role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization.|
Add a PIM tile to the dashboard
To make it easier to open Privileged Identity Management, add a PIM tile to your Azure portal dashboard.
Sign in to the Azure portal.
Select All services and find the Azure AD Privileged Identity Management service.
Select the Privileged Identity Management Quick start.
Select Pin blade to dashboard to pin the Privileged Identity Management Quick start page to the dashboard.
On the Azure dashboard, you'll see a tile like this: