Permission control with Azure


Azure AD PIM allows for effective and secure management of access to privileged roles in the Azure cloud. This solution reduces the possibility of a hacker or fraudster obtaining permissions.  

The functionalities of Azure AD PIM include:  

• “Just-in-time” access to Azure resources  

• Allocation of access to privileged roles within a specified time window  

• Approval required to activate access  

• Multi-factor authentication enforced  

• Justification of privileged access  

• Notifications of privileged role activation  

• Access reviews of roles  

• History of activations and accesses  

• Safeguard against the loss of access to the Global Administrator and Privileged Role Administrator accounts  

Why Privileged Identity Management?

In today’s dynamic IT environment, data is a crucial asset for every organization. Protecting access to sensitive data should be a priority. As the number of users and permissions increases, managing access and privileged roles becomes more complex. In particular, administrative and privileged accounts should be protected as they have the ability to access large amounts of sensitive data. The identity of an administrator and high-level permissions are also a target for unauthorized individuals who want to harm your organization. Therefore, it is necessary to secure your environment in accordance with the “The principle of least privilege.”  

Access Management in PIM

Access to PIM is granted for:  

  • Users 
  • Groups 
  • SPN (service principals) 

Depending on how granular the permissions should be, PIM allows for the specification of “Scope Tags” in addition to roles:  

  • Azure AD Roles 
    • Directory 
    • Administrative Unit 
    • Application 
    • Service Principal 
  • Azure AD Groups
    • Owner 
    • Member 
  • Azure resources 
    • Management Group 
    • Subscription 
    • Resource Group 
    • Resource 

Types of assignments:

• Eligible – the user must activate their permissions before accessing. Activation may require MFA, providing business justification, or requesting approval from authorized users.  

• Active – activation is not required. The role is active all the time.  

Role assignments can also be time-limited. Settings allow for the definition of a time interval for role assignment (start and end date of assignment). Let’s follow the process of assigning the “Application Administrator” role to one of the IT department employees for the next week. Their task is to make changes to the organization’s applications. You can perform a new role assignment in PIM > Azure AD roles > Roles using the “Add assignments” button. 

In the “Select role” window, we select the “Application Administrator” role. In “Scope tags,” we leave the option as “Directory” because we do not want to limit administrative access to specific applications. 

The “Next” button will take us to the assignment settings. We choose the Eligible Assignment type (we want the user to activate the role before using it) and the start and end dates – in this case, it will be a week. Click “Assign”. 

In the PIM > Azure AD Roles > Settings tab, we customize the requirements, alerts, and assignment details for a given role. 

Assignments can be viewed and managed in the “Assignments” tab. 

Access reviews 

“Access Reviews” is a tool that allows for periodic reviews to identify and remove unnecessary permissions, minimizing the risk of unauthorized access. The results of the reviews are recorded and documented in Azure PIM, allowing for auditing and monitoring of permission changes. If inappropriate permissions are identified, administrators can quickly take corrective actions such as removing or restricting a user’s permissions. The “Access Reviews” option is only available for Azure AD roles and Azure resources and is currently not available for Azure AD groups.  

Let’s create an example access review for the “Application Administrator” role (PIM > Azure AD Roles > Access Reviews > New). 

Reviews can be customized to suit specific needs. In this case, a two-day review that takes place weekly has been configured. It applies to all users and groups and all types of assignments. The result of the review looks as follows: 


Azure Privileged Identity Management (PIM) is an important tool offered by the Microsoft Azure platform. It enables effective management of roles and permissions, while minimizing the risk of identity takeover attacks. With PIM, your permissions will be organized and transparent. It is definitely a solution worth trying! 


Ready to meet the only technology partner you'll ever need?

Cloudica needs the information you provide to contact you about our services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy policy.

Once the above questions have been answered, a disaster recovery and backup readiness index can be calculated based on the following scale: 

  • Level 1: Inadequate – The organization has significant gaps in its disaster recovery and backup posture.  
  • Level 2: Developing – The organization has some disaster recovery and backup processes in place, but significant improvements are needed.  
  • Level 3: Mature – The organization has a mature disaster recovery and backup posture, but there is room for improvement.  
  • Level 4: Robust – The organization has a strong disaster recovery and backup posture and is well-prepared to address potential disruptions.  
  • Level 5: Exceptional – The organization has a comprehensive and mature approach to disaster recovery and backup. 

The disaster recovery and backup readiness index can be calculated by assigning a score of 1-5 to each question based on the level of readiness demonstrated. The scores are then averaged across all questions in each category to determine the readiness level for that category. The overall disaster recovery and backup readiness index is calculated by averaging the readiness levels across all categories. 

Level 1: Basic
You have minimal cybersecurity processes in place and face a high risk of cyberattacks. Immediate attention and significant improvements are necessary to enhance your security posture.

Level 2: Developing
You have some cybersecurity processes in place but require substantial improvements to reach a mature state. You should focus on strengthening your policies, procedures, and security controls.

Level 3: Mature
You have a solid cybersecurity posture, but there is still room for improvement. You should continue enhancing your processes, monitoring capabilities, and incident response practices.

Level 4: Advanced
You have a strong cybersecurity posture and are well-prepared to address potential threats. However, you should remain proactive and stay abreast of emerging threats and technologies to maintain your advanced level of security.

Level 5: Leading
You have a comprehensive and mature approach to cybersecurity. You are a leader in cybersecurity best practices and continually innovate to stay ahead of evolving threats.

Dziękujemy za rejestrację!

Link do webinaru otrzymają Państwo mailowo dzień przed spotkaniem.

23 Marca 2023

10:00 via MS Teams

Tomasz Woźniak

Thank you!

To download our e-book „The best way to Outsource IT Staff” click button below