Privileged Identity Management
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Microsoft Certified: Identity and Access Administrator Associate premium course — no separate purchase.
Included in this chapter:
- Eligible vs active, and the JIT activation flow
- Role settings: activation and assignment controls
- PIM for Groups and Azure resource roles
- Break-glass accounts and exam-pattern recognition
PIM scopes and the eligible vs active model
| Dimension | PIM for Microsoft Entra roles | PIM for Azure resources | PIM for Groups |
|---|---|---|---|
| What it makes eligible | Directory roles (Global Admin, etc.), built-in and custom | Azure RBAC roles (Owner, Contributor, UAA) at a scope | Membership or ownership of a security or M365 group |
| Assignment types | Eligible or active; permanent or time-bound | Eligible or active; permanent or time-bound | Eligible or active; one policy each for member and owner |
| Activation requirements | Per-role settings: duration 1-24h, MFA/auth context, justification, ticket, approval | Per-role settings at the chosen scope, same controls | Per-group policy, same controls, set separately for member and owner |
| Who manages it | Privileged Role Administrator or Global Administrator | Subscription admin, resource Owner, or User Access Administrator | Global Admin, Privileged Role Admin, or group Owner |
| Where access lands | Microsoft Entra directory permissions | Azure control-plane permissions at that scope | Whatever the group grants: Entra roles, Azure roles, apps, Key Vault |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.