πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-300 Domain 4
Domain 4 β€” Module 4 of 6 67%
25 of 27 overall

SC-300 Study Guide

Domain 1: Implement and Manage User Identities

  • Your Entra Tenant: Branding, Settings & Domains
  • Entra Roles & Administrative Units
  • Managing Users & Groups
  • Device Registration & Licensing
  • External Identities: Guest Access & B2B
  • Cross-Tenant Access & Synchronisation
  • Hybrid Identity: Connect Sync vs Cloud Sync
  • Hybrid Authentication: PHS, PTA & Seamless SSO

Domain 2: Implement Authentication and Access Management

  • Authentication Methods: Plan & Implement
  • Passwordless & Windows Hello for Business
  • MFA, SSPR & Password Protection
  • Conditional Access: Plan & Build Policies
  • Conditional Access: Advanced Controls & Troubleshooting
  • Entra ID Protection: Risk-Based Security
  • Global Secure Access: Zero Trust Networking

Domain 3: Plan and Implement Workload Identities

  • Workload Identities: Managed Identities & Service Principals
  • Enterprise Apps: SSO, App Proxy & Integration
  • Enterprise Apps: Users, Consent & Collections
  • App Registrations: Build & Secure
  • Defender for Cloud Apps: Discover & Control
  • Defender for Cloud Apps: Policies & OAuth Governance

Domain 4: Plan and Automate Identity Governance

  • Entitlement Management: Catalogs & Access Packages Free
  • Access Requests, Terms of Use & External Lifecycle Free
  • Access Reviews: Plan, Create & Monitor Free
  • PIM: Protect Your Privileged Roles Free
  • PIM: Azure Resources, Groups & Audit Free
  • Identity Monitoring: Logs, KQL & Secure Score Free

SC-300 Study Guide

Domain 1: Implement and Manage User Identities

  • Your Entra Tenant: Branding, Settings & Domains
  • Entra Roles & Administrative Units
  • Managing Users & Groups
  • Device Registration & Licensing
  • External Identities: Guest Access & B2B
  • Cross-Tenant Access & Synchronisation
  • Hybrid Identity: Connect Sync vs Cloud Sync
  • Hybrid Authentication: PHS, PTA & Seamless SSO

Domain 2: Implement Authentication and Access Management

  • Authentication Methods: Plan & Implement
  • Passwordless & Windows Hello for Business
  • MFA, SSPR & Password Protection
  • Conditional Access: Plan & Build Policies
  • Conditional Access: Advanced Controls & Troubleshooting
  • Entra ID Protection: Risk-Based Security
  • Global Secure Access: Zero Trust Networking

Domain 3: Plan and Implement Workload Identities

  • Workload Identities: Managed Identities & Service Principals
  • Enterprise Apps: SSO, App Proxy & Integration
  • Enterprise Apps: Users, Consent & Collections
  • App Registrations: Build & Secure
  • Defender for Cloud Apps: Discover & Control
  • Defender for Cloud Apps: Policies & OAuth Governance

Domain 4: Plan and Automate Identity Governance

  • Entitlement Management: Catalogs & Access Packages Free
  • Access Requests, Terms of Use & External Lifecycle Free
  • Access Reviews: Plan, Create & Monitor Free
  • PIM: Protect Your Privileged Roles Free
  • PIM: Azure Resources, Groups & Audit Free
  • Identity Monitoring: Logs, KQL & Secure Score Free
Domain 4: Plan and Automate Identity Governance Free ⏱ ~14 min read

PIM: Protect Your Privileged Roles

Plan and manage Entra ID roles in Privileged Identity Management β€” eligible vs active assignments, activation workflows, approval, and PIM settings.

What is Privileged Identity Management (PIM)?

β˜• Simple explanation

PIM is a safe for your admin keys.

Imagine you run a hospital. You wouldn’t let every doctor carry the master key to the pharmacy all day β€” too risky. Instead, you keep the master key in a safe. When a doctor needs it, they check it out (explain why, get approval, show their badge), use it for the time needed, and return it. The safe logs everything: who took the key, when, why, and when they returned it.

That’s PIM. Instead of admins having Global Admin rights 24/7, they have eligible access β€” they can request activation when needed, for a limited time, with approval and logging. When the time expires, the permissions automatically disappear.

Privileged Identity Management (PIM) is a Microsoft Entra ID Governance feature that provides just-in-time (JIT), time-bound, and approval-based role activation for Entra ID roles and Azure resource roles. It minimises standing access to privileged roles by converting permanent assignments to eligible assignments that require activation.

PIM provides: eligible vs. active role assignments, configurable activation requirements (MFA, justification, approval, ticket number), maximum activation duration, notification workflows, and comprehensive audit logging of all activations and approvals.

Eligible vs Active assignments

This is the most fundamental PIM concept and appears in nearly every exam question:

FeatureEligible AssignmentActive Assignment
Standing access?No β€” must activate when neededYes β€” always has the role
Activation required?Yes β€” user must request activationNo β€” role is always on
Time-limited?Activation expires after configured durationCan be permanent or time-bound
Approval needed?Configurable β€” can require approvalNo activation, so no approval step
Security postureStrong β€” minimises standing accessWeaker β€” permanent privileged access
Best forDay-to-day admin tasksBreak-glass accounts, service accounts
Exam preferenceRecommended approach for most rolesUse sparingly and justify

The golden rule: Make roles eligible unless there’s a specific reason for active (break-glass accounts, automated service accounts that can’t interactively activate).

The activation workflow

When a user with an eligible assignment needs to use their role, this is what happens:

User requests activation
        ↓
MFA required? β†’ Authenticate with MFA
        ↓
Justification required? β†’ Provide reason
        ↓
Ticket number required? β†’ Enter ticket reference
        ↓
Approval required? β†’ Approver gets notification β†’ Approve/Deny
        ↓
Activation granted (time-limited)
        ↓
Timer expires β†’ Role automatically deactivated
ℹ️ Scenario: Priya configures PIM for Global Admin

πŸ” Priya at Meridian Health configures PIM for the Global Administrator role:

PIM role settings for Global Admin:

  • Maximum activation duration: 2 hours (admins must re-activate if they need more time)
  • Require MFA on activation: Yes
  • Require justification: Yes
  • Require approval: Yes β€” approved by Priya or the CTO
  • Require ticket number: Yes (must reference a change request)
  • Send notification when activated: Yes β€” security team gets an email

Eligible assignments:

  • Priya herself (identity architect)
  • Marcus (senior infrastructure admin)
  • One break-glass account β†’ Active permanent assignment (can’t interactively activate)

Now when Marcus needs Global Admin to perform a tenant-wide change, he:

  1. Goes to the PIM blade in the Entra admin center (or myaccess.microsoft.com)
  2. Selects Global Administrator β†’ Activate
  3. Completes MFA
  4. Enters justification: β€œDeploying new Conditional Access policies per CHG-4521”
  5. Enters ticket number: CHG-4521
  6. Priya receives an approval request β†’ Approves
  7. Marcus has Global Admin for 2 hours β†’ role deactivates automatically

PIM role settings β€” the control panel

Each Entra role has independent PIM settings. You configure settings per role, not globally.

SettingWhat It ControlsTypical Config
Max activation durationHow long the role stays active after activation1–24 hours (default 8h, use 1–4h for sensitive roles)
Require MFAMFA required when activatingAlways Yes for privileged roles
Require justificationUser must explain why they need the roleYes for most roles
Require approvalApproval needed before activationYes for Global Admin, Privileged Role Admin; optional for less sensitive roles
Require ticket informationMust provide a ticket/change request numberYes for change-managed environments
Allow permanent eligibleCan eligible assignments be permanent (no end date)?Yes β€” eligible is safe even if permanent
Allow permanent activeCan active assignments be permanent?No for most roles (exception: break-glass)
Require Azure MFA (not claims)Specifically requires Entra MFA, not federated claimsRecommended for highest security
Assignment notificationsEmail when someone is assigned the roleYes β€” security team should know
Activation notificationsEmail when someone activates the roleYes β€” security team should know
πŸ’‘ Exam tip: Settings are per-role

PIM settings are configured per role, not globally. You might require approval for Global Admin but not for Helpdesk Admin. The exam tests whether you know that changing the Global Admin PIM settings does NOT affect User Admin settings β€” they’re independent.

Also note: Privileged Role Administrator is the role that manages PIM settings β€” not Global Admin specifically (though Global Admin can do everything).

Managing the approval process

When a role requires approval, designated approvers receive notifications:

Approver experience:

  1. Receive email notification (or check PIM in the portal)
  2. See the request details: who, which role, justification, ticket number
  3. Approve or Deny with a reason
  4. If approved, the user’s role activates immediately

If the approver doesn’t respond:

  • The request times out after the configured period (default 24 hours)
  • The user’s activation is denied
  • The user can re-request
ℹ️ Scenario: Priya approves Marcus's Global Admin activation

πŸ” Marcus requests Global Admin activation. Priya receives an email:

PIM Activation Request User: Marcus Chen Role: Global Administrator Justification: β€œDeploying new Conditional Access policies per CHG-4521” Ticket: CHG-4521 Duration: 2 hours

Priya checks the change management system, confirms CHG-4521 is a legitimate approved change, and clicks Approve. Marcus immediately has Global Admin for 2 hours.

After the change, Marcus can deactivate early (best practice) or let the 2-hour timer expire automatically.

Assignment types: eligible vs active, permanent vs time-bound

PIM assignments have two independent dimensions:

EligibleActive
PermanentUser is always eligible to activate (no end date)User always has the role (no end date) β€” avoid this
Time-boundUser is eligible to activate until the end dateUser has the role until the end date

Best practices:

  • Permanent eligible is fine β€” the user can activate when needed, and it doesn’t expire
  • Time-bound eligible is great for contractors or project-based access
  • Time-bound active is acceptable for temporary scenarios
  • Permanent active should be reserved for break-glass accounts only
πŸ’‘ Exam tip: Maximum assignment duration

In PIM role settings, you can set a maximum duration for both eligible and active assignments. If you set β€œRequire expiration” for active assignments with a maximum of 365 days, no one can create a permanent active assignment. This is a governance guardrail.

Activation alerts and notifications

PIM can send notifications at multiple points:

EventWho Gets Notified
Role assigned (eligible or active)Assignee, admin, approvers (configurable)
Role activatedSecurity team, Global Admin, configured recipients
Role deactivatedConfigurable
Pending approvalDesignated approvers
Role assignment about to expireAssignee (reminder to renew or re-request)

PIM alerts (separate from notifications):

  • Too many Global Admins β€” triggered when the number exceeds a threshold
  • Roles being activated too frequently β€” possible misuse
  • Roles not using PIM for activation β€” direct active assignments bypassing PIM
  • Potential stale role assignments β€” eligible roles that haven’t been activated in a long time

Video Lesson

🎬 Video coming soon

PIM: Protect Your Privileged Roles

PIM: Protect Your Privileged Roles

~12 min

Key Concepts

Question

What is the difference between an eligible and an active assignment in PIM?

Click or press Enter to reveal answer

Answer

Eligible: the user CAN activate the role when needed β€” no standing access. Active: the user HAS the role permanently (or until end date) β€” standing privileged access. Best practice: make assignments eligible and reserve active for break-glass accounts.

Click to flip back
Question

What can you require during PIM role activation?

Click or press Enter to reveal answer

Answer

Four things configurable per role: 1) MFA, 2) Justification (text explanation), 3) Ticket number (change request reference), 4) Approval from designated approvers. Plus the activation has a maximum time limit (1–24 hours).

Click to flip back
Question

Which Entra role manages PIM settings?

Click or press Enter to reveal answer

Answer

Privileged Role Administrator β€” this role can configure PIM settings, approve activations, and manage role assignments. Global Admin can also manage PIM (Global Admin can do everything), but Privileged Role Admin is the least-privilege role for PIM management.

Click to flip back
Question

Can a user deactivate their PIM role early?

Click or press Enter to reveal answer

Answer

Yes. After activating a role, the user can manually deactivate it before the timer expires. This is a best practice β€” once you finish the task, deactivate immediately rather than keeping elevated access for the remaining time window.

Click to flip back
Question

What PIM alert fires when too many users have a specific role?

Click or press Enter to reveal answer

Answer

The 'Too many Global Administrators' alert (or similar per-role alerts). PIM monitors the number of active and eligible assignments and alerts when the count exceeds a configurable threshold. This helps enforce the principle of least privilege.

Click to flip back

Knowledge Check

Knowledge Check

Priya wants Global Admin to require MFA, a justification, and approval before activation, with a maximum of 2 hours active time. Where does she configure these requirements?
Knowledge Check

Marcus is an eligible Global Administrator in PIM. He needs to perform an urgent tenant-wide configuration change but the designated approver (Priya) is on leave. What happens?
Knowledge Check

Anika is auditing PIM at a client and finds that 12 users have permanent active Global Administrator assignments. What is the recommended remediation?
Knowledge Check

Which of these is NOT a configurable requirement for PIM role activation?
Knowledge Check

A user is eligible for the Security Administrator role through PIM with a maximum activation duration of 4 hours. They activate the role at 9:00 AM. At 1:30 PM, they need the role again for an incident. What must they do?

Next up: PIM: Azure Resources, Groups & Audit β€” extending PIM to Azure subscription roles, using PIM for Groups, auditing PIM activity, and securing break-glass accounts.

← Previous

Access Reviews: Plan, Create & Monitor

Next β†’

PIM: Azure Resources, Groups & Audit

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.