Azure AD Privileged Identity Management (PIM) is a service in Entra ID that enables you to manage, control, and monitor access to important resources in your organisation.
It enables the management and monitoring of privileged access within the department.
It allows for implementing strict access controls and ensuring least privilege principles.
Privileged Identity Management (PIM) can provide time-based and approval-based role activation, with following key features:
Provide just-in-time privileged access to Microsoft Entra ID and Azure resources.
Assign time-bound access to resources using start and end dates.
Require approval to activate privileged roles.
Enforce multifactor authentications to activate any role
Use justification to understand why users activate.
Get notification when privileged roles are activated.
Conduct access reviews to ensure users still need roles.
Download audit history for internal or external audit
Prevents removal of the last active Global Administrator role and Privileged Role Administrator role assignments.
PIM is not a solution for setting up the hierarchical structure of management groups, subscriptions, and resource groups.
Enable Principle of Least Possible Privilege, Just-in-Time access, and periodic review access#
Privileged Identity Management (PIM).
It helps enforce the principle of least privilege by providing just-in-time access to Azure AD roles.
It allows users to request elevated access when needed and ensure that high-level permissions are only granted for a limited time.
Access Reviews.
It is essential for periodically reviewing and validating high-level access permissions granted to roles.
By conducting regular access reviews, organisations can ensure that the least possible access and just-in-time access principles are always followed.
Receive alerts based on conditions met in the application#
Azure Monitor.
This is the best fit for ensuring that IT administrators receive alerts based on critical conditions met in the application.
It provides a comprehensive solution for collecting, analysing, and acting on telemetry data from applications and infrastructure.
With Azure Monitor, administrators can set up alerts based on specific metrics, logs, and events to proactively respond to critical conditions.
Other wrong options
Application Insights. This is used for monitoring and analysing the performance and usage of applications.
Azure Advisor. This provides recommendations for optimising Azure resources based on best practices.
Azure Policies. This is used to enforce rules and regulations on Azure resources to ensure compliance with organisational standards and security requirements.
Bicep is a domain-specific language for deploying Azure resources declaratively.
It allows you to define and deploy all the required components, including management groups, subscriptions, and resource groups, in a structured and repeatable way.