PIM and Identity Protection
Just-in-time admin access with PIM, and real-time risk detection with Identity Protection β two Entra ID P2 capabilities that protect privileged accounts and detect compromised identities.
Privileged Identity Management (PIM)
Think of a safe room at a bank. Only authorised managers can enter, and only after requesting access, getting approval, and the door locks again after 4 hours.
In most organisations, admins have their powerful roles permanently. They are Global Admin 24 hours a day, 7 days a week β even when they are sleeping, on holiday, or not doing admin work.
PIM changes this. Instead of always having admin access, you activate it when you need it. You request access, someone approves it, you get the role for a limited time, and then it goes away automatically.
If an attacker compromises an admin account at 2am, the role is probably not active β there is nothing elevated to exploit.
How PIM works
PIM introduces two types of role assignment:
| Assignment Type | What It Means | When The User Has The Role |
|---|---|---|
| Eligible | The user CAN activate the role when needed β but does not have it by default | Only after requesting and (optionally) getting approval. Time-limited. |
| Active | The user HAS the role permanently (traditional assignment) | Always β 24/7. Used only when JIT is not practical. |
The activation flow
- An admin marks a user as eligible for a role (e.g., Global Administrator)
- The user needs to perform an admin task
- The user goes to PIM and requests activation
- They provide a justification (why they need it)
- An approver reviews and approves the request (if approval is required)
- The role activates for a set duration (e.g., 4 hours)
- After the time expires, the role automatically deactivates
- Everything is logged in the audit trail
Key exam concept: PIM requires Microsoft Entra ID P2. The user is βeligibleβ (can request) but not βactiveβ (does not have the role) until they activate it. This is the core of just-in-time access.
Scenario: Alex configures PIM at SecureBank
Director Reyes tells Alex: βI donβt want anyone permanently sitting in the Global Administrator role β not even me.β
Alex configures PIM:
- Director Reyes, Alex, and the IT lead are eligible for Global Admin
- Activation requires MFA, a written justification, and approval from another eligible admin
- Maximum activation time: 4 hours
- All activations generate alerts to the security team
When Reyes needs to make a tenant-wide configuration change, she activates the role, explains why, gets Alexβs approval, and has 4 hours to complete the work. At hour four, the role disappears.
βWe went from three standing Global Admins to zero,β Alex reports. βAnyone who needs it can get it β but only for the exact time they need it.β
PIM for Entra roles and Azure resources
PIM works in two areas:
| Feature | PIM for Entra Roles | PIM for Azure Resources |
|---|---|---|
| What it manages | Privileged Entra roles (Global Admin, Security Admin, User Admin, etc.) | Privileged Azure resource roles (Owner, Contributor, User Access Administrator) |
| Scope | The Entra tenant | Azure subscriptions, resource groups, or individual resources |
| Example | Activate Global Administrator for 2 hours to configure a policy | Activate Owner on a production subscription for 1 hour to deploy a fix |
| Approval required? | Configurable per role | Configurable per role and scope |
Why PIM matters
| Without PIM | With PIM |
|---|---|
| Admin roles are active 24/7 β even at 2am when nobody is working | Roles are dormant until explicitly activated |
| A compromised admin account has full power immediately | A compromised eligible account has no elevated power until activated (which requires MFA + approval) |
| No record of why someone used their admin access | Full audit trail: who activated, when, why, and for how long |
| Admins forget they have powerful roles β accidental changes happen | Deliberate activation creates mindfulness about privileged actions |
Microsoft Entra ID Protection
Think of a credit card company that calls you when it spots a suspicious transaction.
βDid you just buy a laptop in Brazil? You were in Auckland 10 minutes ago.β The system detected something unusual and flagged it automatically.
Identity Protection does the same thing for sign-ins. It watches every sign-in for suspicious patterns: impossible travel, anonymous networks, known attacker IPs, leaked passwords. When it detects risk, it can automatically require MFA, force a password reset, or block the sign-in entirely.
You do not have to watch a dashboard all day. The system watches for you and responds in real time.
Two types of risk
| Risk Type | What It Measures | Detections | Examples |
|---|---|---|---|
| Sign-in risk | How likely is it that this specific sign-in was NOT performed by the account owner? | Evaluated in real time during the sign-in | Impossible travel, anonymous IP address, password spray, malicious IP address, unfamiliar sign-in properties |
| User risk | How likely is it that this user account has been compromised? | Evaluated offline β builds over time | Leaked credentials found on the dark web, anomalous user activity, threat intelligence indicators |
Risk levels
Both sign-in risk and user risk are classified into levels:
| Level | What It Means | Typical Response |
|---|---|---|
| Low | Slightly unusual but probably legitimate | Monitor β no action needed |
| Medium | Moderately suspicious β warrants investigation | Require MFA to verify the user |
| High | Strong indicators of compromise | Block access or force password reset |
Common risk detections
These are the specific threats Identity Protection watches for:
| Detection | What It Means | Risk Type |
|---|---|---|
| Impossible travel | Sign-ins from two locations that are physically impossible in the time between them | Sign-in |
| Anonymous IP address | Sign-in from an anonymising service (Tor, VPN associated with attackers) | Sign-in |
| Password spray | Multiple accounts targeted with common passwords in a coordinated attack | Sign-in |
| Unfamiliar sign-in properties | Sign-in from a location, device, or network the user has never used before | Sign-in |
| Leaked credentials | The userβs credentials were found in a public data breach | User |
| Anomalous user activity | Unusual patterns in the userβs behaviour compared to their baseline | User |
Scenario: Identity Protection catches a compromised account at SecureBank
On Monday morning, Alex sees an alert: Identity Protection flagged a high user risk for Jordan, a loan officer.
What happened:
- Jordanβs email and password appeared in a dark web breach dump (leaked credentials β user risk)
- A sign-in attempt came from a Tor exit node in Romania (anonymous IP β sign-in risk)
- The Conditional Access policy blocked the sign-in and required Jordan to reset their password
Alex investigates:
- Jordan was at home in Auckland at the time β the Romania sign-in was definitely an attacker
- Jordan confirms they used the same password on a personal site that was breached
βIdentity Protection blocked the attacker before they got in,β Alex tells Director Reyes. βJordan reset their password, re-enrolled MFA, and is back to work. No data was accessed.β
Identity Protection and Conditional Access
Identity Protection feeds risk signals into Conditional Access. Together, they create automated risk-based responses:
| Policy | Trigger | Action |
|---|---|---|
| Sign-in risk policy | Sign-in risk is medium or higher | Require MFA to verify the user |
| Sign-in risk policy | Sign-in risk is high | Block the sign-in entirely |
| User risk policy | User risk is medium or higher | Require a secure password change |
| User risk policy | User risk is high | Block all access until admin reviews |
Key exam concept: Identity Protection detects risk. Conditional Access enforces the response. They work together β Identity Protection is the alarm, Conditional Access is the automatic lock.
PIM vs Identity Protection
These two capabilities solve different problems:
| Feature | Privileged Identity Management (PIM) | Identity Protection |
|---|---|---|
| Problem it solves | Standing privileged access is risky β admins should not be permanently elevated | Compromised identities are hard to detect β attackers use stolen credentials |
| Focus | Controlling admin/privileged role access | Detecting and responding to identity-based threats |
| How it works | Just-in-time activation: request, approve, time-limited access | Machine learning detects anomalies, assigns risk levels, triggers automated responses |
| Key concept | Eligible vs active role assignments | Sign-in risk vs user risk |
| Licence | Entra ID P2 | Entra ID P2 |
| One-line summary | Control who can be admin, and when | Detect when an identity is compromised |
π¬ Video walkthrough
π¬ Video coming soon
PIM and Identity Protection β SC-900 Module 8
PIM and Identity Protection β SC-900 Module 8
~10 minFlashcards
Knowledge Check
Director Reyes wants to ensure that nobody at SecureBank has permanent Global Administrator access β but three senior staff must be able to perform admin tasks when urgent issues arise. What should Alex configure?
Identity Protection flags a high sign-in risk for Jordan's account. A Conditional Access policy is configured to block access when sign-in risk is high. What happens next?
Which statement correctly describes the difference between PIM and Identity Protection?