Permission control with Azure


Azure AD PIM allows for effective and secure management of access to privileged roles in the Azure cloud. This solution reduces the possibility of a hacker or fraudster obtaining permissions.  

The functionalities of Azure AD PIM include:  

• “Just-in-time” access to Azure resources  

• Allocation of access to privileged roles within a specified time window  

• Approval required to activate access  

• Multi-factor authentication enforced  

• Justification of privileged access  

• Notifications of privileged role activation  

• Access reviews of roles  

• History of activations and accesses  

• Safeguard against the loss of access to the Global Administrator and Privileged Role Administrator accounts  

Why Privileged Identity Management?

In today’s dynamic IT environment, data is a crucial asset for every organization. Protecting access to sensitive data should be a priority. As the number of users and permissions increases, managing access and privileged roles becomes more complex. In particular, administrative and privileged accounts should be protected as they have the ability to access large amounts of sensitive data. The identity of an administrator and high-level permissions are also a target for unauthorized individuals who want to harm your organization. Therefore, it is necessary to secure your environment in accordance with the “The principle of least privilege.”  

Access Management in PIM

Access to PIM is granted for:  

  • Users 
  • Groups 
  • SPN (service principals) 

Depending on how granular the permissions should be, PIM allows for the specification of “Scope Tags” in addition to roles:  

  • Azure AD Roles 
    • Directory 
    • Administrative Unit 
    • Application 
    • Service Principal 
  • Azure AD Groups
    • Owner 
    • Member 
  • Azure resources 
    • Management Group 
    • Subscription 
    • Resource Group 
    • Resource 

Types of assignments:

• Eligible – the user must activate their permissions before accessing. Activation may require MFA, providing business justification, or requesting approval from authorized users.  

• Active – activation is not required. The role is active all the time.  

Role assignments can also be time-limited. Settings allow for the definition of a time interval for role assignment (start and end date of assignment). Let’s follow the process of assigning the “Application Administrator” role to one of the IT department employees for the next week. Their task is to make changes to the organization’s applications. You can perform a new role assignment in PIM > Azure AD roles > Roles using the “Add assignments” button. 

In the “Select role” window, we select the “Application Administrator” role. In “Scope tags,” we leave the option as “Directory” because we do not want to limit administrative access to specific applications. 

The “Next” button will take us to the assignment settings. We choose the Eligible Assignment type (we want the user to activate the role before using it) and the start and end dates – in this case, it will be a week. Click “Assign”. 

In the PIM > Azure AD Roles > Settings tab, we customize the requirements, alerts, and assignment details for a given role. 

Assignments can be viewed and managed in the “Assignments” tab. 

Access reviews 

“Access Reviews” is a tool that allows for periodic reviews to identify and remove unnecessary permissions, minimizing the risk of unauthorized access. The results of the reviews are recorded and documented in Azure PIM, allowing for auditing and monitoring of permission changes. If inappropriate permissions are identified, administrators can quickly take corrective actions such as removing or restricting a user’s permissions. The “Access Reviews” option is only available for Azure AD roles and Azure resources and is currently not available for Azure AD groups.  

Let’s create an example access review for the “Application Administrator” role (PIM > Azure AD Roles > Access Reviews > New). 

Reviews can be customized to suit specific needs. In this case, a two-day review that takes place weekly has been configured. It applies to all users and groups and all types of assignments. The result of the review looks as follows: 


Azure Privileged Identity Management (PIM) is an important tool offered by the Microsoft Azure platform. It enables effective management of roles and permissions, while minimizing the risk of identity takeover attacks. With PIM, your permissions will be organized and transparent. It is definitely a solution worth trying! 


Ready to meet the only technology partner you'll ever need?

Cloudica needs the information you provide to contact you about our services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy policy.

Level 1: Basic
You have minimal cybersecurity processes in place and face a high risk of cyberattacks. Immediate attention and significant improvements are necessary to enhance your security posture.

Level 2: Developing
You have some cybersecurity processes in place but require substantial improvements to reach a mature state. You should focus on strengthening your policies, procedures, and security controls.

Level 3: Mature
You have a solid cybersecurity posture, but there is still room for improvement. You should continue enhancing your processes, monitoring capabilities, and incident response practices.

Level 4: Advanced
You have a strong cybersecurity posture and are well-prepared to address potential threats. However, you should remain proactive and stay abreast of emerging threats and technologies to maintain your advanced level of security.

Level 5: Leading
You have a comprehensive and mature approach to cybersecurity. You are a leader in cybersecurity best practices and continually innovate to stay ahead of evolving threats.

Download E-book

"The best way to Outsource IT Staff"

A Game-Changing strategy for business success. How Outsourcing IT Staff Can transform your business.

Cloudica needs the information you provide to contact... Read more

Dziękujemy za rejestrację!

Link do webinaru otrzymają Państwo mailowo dzień przed spotkaniem.

23 Marca 2023

10:00 via MS Teams

Tomasz Woźniak

Thank you!

To download our e-book „The best way to Outsource IT Staff” click button below

This website uses cookies. Learn more