DEV Community

Cover image for Let's talk about PIM
Roman Kiprin
Roman Kiprin

Posted on • Updated on

Let's talk about PIM

Yes, Privileged Identity Management. PIM.

This is a technology that Microsoft provides in Entra ID (former Azure AD). I believe this will be an industry standard, just like they did with Active Directory.

Everyone who works with authentication and system integration should know about it!

Let me explain why you might need it!

Imagine that you work with some system. You need to perform administrative tasks with a higher level of access from time to time. However, it is unsafe always to access the system with such permissions: you can devastate it with one wrong command or misclick of a mouse. Or a virus can access the system using your permissions, causing many problems.

Working with Windows Domains, it was a good practice to have two different accounts: one for ordinary stuff and the other for Administrative purposes only.

It was not super convenient, but it helped a lot with segregating the routines and permissions. So, I had a 'user' role most of the time and an 'administrator' when required.

Microsoft has developed that Role assignment significantly since these days in Entra ID (former Azure AD) and Azure Cloud.

So, Entra ID (former Azure AD). Here is the thing.

Any user is allowed to be assigned any Role in Entra ID. There are about 60 buil-in Roles in it. A role is just a set of permissions to perform operations (or REST API calls if you go more profound).

To avoid providing permissions permanently, Microsoft invented PIM. PIM creates a simple but effective concept.

Instead of a permanent Role, the user is provided with PIM eligibility to activate the Role when necessary.

You can use the PIM interface to activate your Global Administrator Entra ID Role when performing a high-level administration task. I'll skip some details... The user's account will receive the requested permissions in a few minutes.

And then, for example, 4 hours later, the Role permissions disappear. Of course, all activations are logged in to your favorite SEIM.


OK. Let's assume there is only one nerd here—myself. But I think it is incredibly cool.

You might think that is all. Nope. It is only the beginning!

Image description

What if you need to elevate a user's permissions not in Entra ID but in some other system that uses Entra ID for authentication?

Here is the honey!

Microsoft developed PIM and another technology called PIM for Groups. These are similar but different technologies.

Instead of providing users with Roles in Entra ID - this technology provides users with temporary membership in Entra ID security groups!

PIM for Groups example

Imagine you have two user groups: "Operators" and "Administrators." Membership in "Operators" gives access to The Best AI-Based Infosystem (TBAIBI). Membership in "Administrators" provides both operator and management-level access to the same TBAIBI.

You can make most of the users members of the "Operators" group and some members of the "Administrators" group...

However, you don't want the administrators always to have their permissions active.

What to do?

You make all the users members of "Operators," and some users, via the same PIM interface of Entra ID, are provided with PIM eligibility to temporarily activate membership of the "Administrators" group.

So, when a user needs to perform administrative operations, he/she goes to the Entra ID Privileged Identity Interface (PIM) and activates membership in a higher permissions group! Entra ID starts considering a user an "Administrator" group member in a few minutes. Since then, the external system (TBAIBI) believes the user is an administrator.

Everything is logged, limited by time, managed by policies, filled with settings, and provided with notifications. And everything works without ANY additional functionality in your precious TBAIBI!

Isn't it cool?

I refuse to believe somebody could read the text until this line and think it was not!

There are several not-so-bright things to mention, though.

The shortfalls of PIM for Groups

Nothing comes free and free from issues, so...

  • This functionality is only available when you buy an Entra ID P2 (or similar) license, which are sold for 9$ per user per month.

  • It is tough to predict when the elevated permissions will take effect. All process layers are cached, and the caches' expiration is a mystery. (You might want to open a new Incognito window to start a new session and get access to elevated permissions without waiting.)

  • This new technology went public several months ago, and automation is not widely available.

Something about automation

Our infrastructure uses Terraform to deploy to Azure Cloud and perform operations with Entra ID security groups and users.

Unfortunately, Terraform (provider for AzureAD) does not support PIM for Groups.

Why bother? Let's use PowerShell to fill the gaps, right?

You could start giggling and smiling at this question only a couple of months ago. By today, Microsoft has released the necessary PowerShell modules to the public, and they have documentation.

Microsoft migrated Entra ID management under the umbrella of Microsoft Graph API. If you managed to ignore it until today, you might want to start paying attention.

There is only one thing that I would like to mention. Microsoft stays fair to itself. :)

Let's assume you must perform an automated call to make a user eligible to activate a privileged security group membership. What name would you give such a call?

I am sure you guessed wrong!

It is called New-MgIdentityGovernancePrivilegedAccessGroupEligibilityScheduleRequest

You can think about what name you would give a reverse operation API. You'll never guess!

But I will write about it in the following article.

Some missed details

I intentionally missed some details to avoid going into the weeds.

  • Both the PIM eligibility and the activation of the PIM eligibility might have an expiration
  • Microsoft did not invent Roles. I remember srvctl / as sysdba on the tips of my thingers. Hello to you, Tom Kyte's readers!

And much more that I might miss unintentionally. Please fill in the gaps in the comments!

UPD. If you are ready to try some PowerShell here is the link to the continuation: How do you automate PIM for Groups? (Part 1 - Setup).

Top comments (0)