What is Privileged Identity Management (PIM)? Complete SC-300 Guide
PIM is the highest-weighted topic in the SC-300 exam's Identity Governance domain. This guide explains everything from eligible vs active roles to approval workflows — with exam-ready examples.
Why PIM Matters for SC-300
Identity Governance is the largest single domain in SC-300 at ~30% of the exam. PIM questions account for roughly half of that domain. You will likely see 6–10 PIM-related questions. Candidates who understand PIM conceptually but haven't practiced configuration fail most of these.
What is Privileged Identity Management?
Privileged Identity Management (PIM) is a Microsoft Entra ID P2 feature that manages, controls, and monitors access to important resources in your organization. It implements the principle of just-in-time (JIT) access — giving people elevated permissions only when they actually need them, for a limited time, with full audit logging.
Without PIM, a Global Administrator is always a Global Administrator — even at 3am on a Saturday when they're not working. With PIM, that same person is an eligible Global Administrator — they only become one when they deliberately activate the role, for a period you define.
PIM works for three types of resources:
- • Entra ID roles — Global Administrator, User Administrator, etc.
- • Azure resource roles — Owner, Contributor, Reader on subscriptions/resource groups
- • Groups — membership and ownership of Entra ID groups (requires PIM for Groups feature)
License Requirement
PIM requires Microsoft Entra ID P2 or Microsoft Entra ID Governance. It is NOT included in P1. The exam will test scenarios where PIM is the right solution but you must know that a P2 upgrade is required. A cost-sensitive question might steer you away from PIM toward a cheaper alternative.
Eligible vs Active vs Permanent Assignments
This is the most fundamental PIM concept — and the most tested. The three assignment types are:
Eligible Assignment
The user has the role available to them but it is NOT active. They must explicitly activate it through PIM. When they activate:
- • They may be required to provide MFA
- • They may need to provide a business justification
- • An approver may need to approve the request
- • The role is active for a configured maximum duration (e.g., 8 hours)
- • The activation expires automatically
Best for: All privileged roles. This is the PIM-recommended default.
Active Assignment (Time-bound)
The user has the role active immediately — no activation needed. However, the assignment has an end date, after which it automatically expires.
Best for: Temporary elevated access for project work (e.g., a contractor who needs Owner access on a resource group for 3 months).
Permanent Active Assignment
The user has the role active at all times with no expiration. This is how roles work without PIM. PIM allows you to assign this but it should be limited to break-glass accounts.
Best for: Emergency access accounts only. Avoid for regular admin accounts.
PIM Role Settings (Activation Configuration)
Each role in PIM has configurable settings that govern how eligible members activate it. Understanding each setting is critical for exam scenarios:
| Setting | Description | Exam Relevance |
|---|---|---|
| Maximum activation duration | How long the role stays active after activation (e.g., 1 hour, 8 hours, 24 hours) | High — exam tests setting minimum possible duration |
| Require MFA on activation | User must complete MFA before activating the role | High — recommended for all privileged roles |
| Require justification on activation | User must type a business reason when activating | Medium — good practice, tested in governance scenarios |
| Require approval to activate | Designated approvers must approve before role activates | High — approval workflow scenarios are common exam questions |
| Require ticket information | User must provide a ticket/ITSM reference number | Low — but may appear in enterprise process scenarios |
| On activation, require Entra ID P2 MFA | Requires Microsoft Authenticator (not just any MFA) for activation | Medium — specific MFA requirement for critical roles |
| Allow permanent eligible assignment | Whether eligible assignments can be permanent or must have an end date | Medium — least privilege principle questions |
| Expire eligible assignments after | Auto-expire eligible assignments after X days | Medium — for contractor/temporary access scenarios |
PIM Approval Workflow
When a role requires approval, here's the exact process — know this flow for exam scenarios:
User Requests Activation
Eligible user clicks "Activate" in PIM, provides justification and optionally ticket number, selects duration (up to the configured max).
Approvers Notified
All configured approvers receive an email notification. Approvers can be specific users, group members, or the user's manager.
Approver Reviews Request
Approver signs in to PIM and sees the pending request with the user's justification. They can approve or deny with their own comment.
Role Activates (or Denied)
If approved, the role activates immediately for the requested duration. If denied, user gets notified and cannot access the role.
Automatic Deactivation
When the duration expires, the role deactivates automatically. No admin action required. All activity is logged in PIM audit logs.
PIM Access Reviews
PIM integrates with Access Reviews to periodically validate that users still need their eligible role assignments. This is a common exam topic in governance scenarios.
Key points about PIM Access Reviews:
- • Access Reviews for Entra ID roles must be created from within PIM (not from the general Access Reviews blade)
- • Reviews can be assigned to role members themselves (self-review) or to managers
- • You can configure auto-apply results — automatically remove access when reviewer doesn't respond
- • Reviews can be one-time or recurring (weekly, monthly, quarterly, annually)
- • Review results include: Approve, Deny, Don't Know, or Not Reviewed
Top PIM Exam Scenarios
Scenario: Minimize standing admin access while allowing emergency access
Solution: Configure all admin roles as eligible in PIM. Create 2 permanent active emergency access accounts with Global Administrator. Exclude those accounts from Conditional Access policies.
Scenario: Ensure admins cannot stay as admin for more than 4 hours at a time
Solution: In PIM role settings for the admin role, set "Maximum activation duration" to 4 hours. Enable "Require MFA on activation" and "Require justification."
Scenario: A new project requires a contractor to have Owner access on a specific resource group for 60 days
Solution: In PIM for Azure Resources, assign the contractor as Owner on the resource group with an Active assignment type and set the end date to 60 days from today.
Scenario: Quarterly review of who has Global Administrator eligible assignment
Solution: Create an Access Review in PIM for the Global Administrator role, set recurrence to quarterly, set reviewers to either the users themselves or their managers, enable "Auto-apply results to resource" with "Remove access" for non-responders.
Scenario: A manager must approve before anyone can activate the Security Administrator role
Solution: In PIM role settings for Security Administrator, enable "Require approval to activate" and add the security team manager as the approver. Set a reasonable approval timeout.
Master PIM with SC-300 Practice Questions
Heavy PIM coverage in our 500-question SC-300 bank. Practice mode with explanations for every answer.
Start Free Practice →