Privileged Identity Management (PIM)

Resource Type	Description	Licensing Requirement
Azure AD Roles	Directory roles (Global Admin, Security Admin, etc.)	Azure AD Premium P2
Azure Resource Roles	Subscription, Resource Group, Resource-level roles	Azure AD Premium P2
Privileged Access Groups	PIM-enabled security groups	Azure AD Premium P2

Aspect	Traditional RBAC	PIM
Assignment Duration	Permanent	Time-bound (1-24 hours)
Access Model	Always-on	Just-in-time
Approval Process	None	Configurable workflow
Audit Trail	Basic activity logs	Detailed activation history
MFA Requirement	Optional at sign-in	Can be required per activation
Cost Model	Included in subscription	Requires Premium P2 licensing

Feature/Concept	Summary
Activation Duration	Default 8 hours, maximum 24 hours per role
Approval Workflow	Up to 3 levels of approval, configurable per role
MFA Requirement	Can be enforced per activation, separate from sign-in MFA
Notification Settings	Customizable for activations, approvals, and expirations
Access Reviews	Quarterly or semi-annual reviews recommended for critical roles
Emergency Access	Maintain 2-3 break-glass accounts outside PIM scope
Role Eligibility	Assign to groups rather than individual users when possible
Audit Retention	PIM audit data retained for 30 days in Azure AD logs

¶ Azure Privileged Identity Management (PIM)