PIM, Audit Logs & Identity Governance
Privileged Identity Management limits who has admin power and when. Audit logs track who did what. Identity Secure Score tells you how well you're doing. Together, they keep your tenant safe.
Why identity governance matters
Think of admin roles like master keys in a building.
The more master keys floating around, the higher the risk that one gets lost, stolen, or misused. PIM says: “Don’t give anyone a permanent master key. Instead, give them a temporary key that works for 4 hours, then automatically stops working.”
Audit logs are the security camera recordings — who opened which door, when, and why.
Identity Secure Score is the safety inspector’s report — “You’re doing well on door locks, but you need to add cameras in the parking garage.”
Privileged Identity Management (PIM)
PIM solves a critical problem: standing admin access is a security risk.
Licensing note: PIM requires Microsoft Entra ID P2 or Entra ID Governance. It’s included in M365 E5 but not E3.
How PIM works
| Step | What Happens |
|---|---|
| 1. Eligible | User is made “eligible” for a role (e.g., Global Admin) — but doesn’t have it yet |
| 2. Activate | User requests activation when needed — provides justification |
| 3. Approve (optional) | Another admin approves the request |
| 4. Active | Role is active for a limited time (e.g., 4 hours) |
| 5. Expire | Role automatically deactivates — no manual cleanup needed |
| Feature | Without PIM | With PIM |
|---|---|---|
| Admin access | Permanent — 24/7/365 | Time-limited — activated when needed |
| If account compromised | Attacker has full admin power immediately | Attacker gets basic user access (admin role not active) |
| Accountability | Hard to track who used admin powers | Every activation is logged with justification |
| Stale accounts | Old admins keep access forever | Unused eligible roles get flagged for review |
| Zero Trust alignment | Violates least privilege | Implements least privilege + assume breach |
Scenario: Maya uses PIM at Northwave
Maya is eligible for Global Admin but doesn’t have it permanently:
- Normal day: Maya has User Admin + License Admin (enough for daily work)
- Emergency: A critical config change needs Global Admin → Maya opens PIM → requests activation → enters justification: “Emergency: Fix broken CA policy blocking all sign-ins”
- Approval: Jordan (CISO) gets a notification → approves the request
- Active for 4 hours: Maya makes the fix → role auto-deactivates after 4 hours
- Logged: The full activation chain (request, justification, approval, actions taken) is in the audit log
If Maya’s account is compromised on a normal day, the attacker only gets User Admin — NOT Global Admin.
Audit logs — who did what, when
Microsoft Entra provides two types of logs:
| Log | What It Records | Where |
|---|---|---|
| Sign-in logs | Every sign-in attempt (success/failure), device, location, CA policy applied | Entra → Monitoring → Sign-in logs |
| Audit logs | Admin actions: role changes, user creation, policy changes, app consent | Entra → Monitoring → Audit logs |
What admins use logs for
- Troubleshooting: “Why can’t this user sign in?” → check sign-in logs for the failure reason
- Security investigation: “Did someone access data they shouldn’t?” → cross-reference sign-in + audit logs
- Compliance: “Prove that only authorised admins made changes” → audit log shows who, what, when
- PIM audit: “Who activated Global Admin this month?” → PIM activity in audit logs
Exam tip: sign-in logs vs audit logs
Sign-in logs = AUTHENTICATION events (who tried to sign in, did it work, what blocked it) Audit logs = ADMIN events (who changed what configuration, created what user, consented to what app)
If the question is about “why can’t they sign in?” → sign-in logs. If the question is about “who changed this policy?” → audit logs.
Identity Secure Score
Identity Secure Score measures your identity security posture:
- Found in Entra admin center → Protection → Identity Secure Score (or Defender portal)
- Score based on recommended actions (e.g., “Enable MFA for all admins”, “Block legacy authentication”)
- Each recommendation shows impact, effort, and status
- Higher score = better security posture
Common recommendations
| Action | Impact |
|---|---|
| Enable MFA for all users | High |
| Block legacy authentication | High |
| Require MFA for admin roles | High |
| Enable Self-Service Password Reset | Medium |
| Set passwords to never expire (with MFA) | Medium |
| Remove standing admin access (use PIM) | High |
Key exam concept: Identity Secure Score is a RECOMMENDATION dashboard, not an enforcement tool. It tells you what to improve but doesn’t make changes for you. Compare with Compliance Manager (Domain 2) which does the same for compliance.
🎬 Video walkthrough
🎬 Video coming soon
PIM, Audit Logs & Governance — AB-900 Module 10
PIM, Audit Logs & Governance — AB-900 Module 10
~11 minFlashcards
Knowledge Check
Clearfield Council's security policy requires that Global Admin access is never permanently assigned. Which Microsoft Entra feature satisfies this requirement?
Maya notices a user's account was used to grant admin consent to a suspicious third-party app at 3 AM. Where should she investigate this activity?
🎉 Congratulations! You’ve completed all 10 modules in Domain 1: M365 Core Features & Objects. You now understand the M365 ecosystem, admin centers, security foundations, and identity governance.
Next: Continue to Domain 2 (Data Protection & Governance) to complete your AB-900 preparation.