Privileged Identity Management (PIM)

Elevated privileges can be activated independently via PIM. This behavior follows common security standards. By default, the least privileges are used (the so-called Least Privilege Principle) and only increased when the work requires it.

In Azure, there are two types of PIM:

• PIM-Enabled Groups

  For a set period, a person is added to an Entra Group, through which extended privileges are temporarily granted. A PIM-Enabled Group can only be administered by IT services.

• PIM for Azure Resource Roles

  For a set period, an Azure resource role with elevated privileges is assigned to a person.

On both paths, extended privileges can be temporarily gained.

Activating PIM-Enabled Groups

1. The Portal is logged into.

   

2. Navigate to the PIM-Module. PIM is entered in the search bar and the search result Microsoft Entra Privileged Identity Management is selected.

   

3. In the PIM-Module, My Roles is selected under Tasks in the left menu.

   

4. Groups is selected in the left menu.

   

5. In the list of PIM groups, the role assigned to the subscription is activated with Activate.

   

6. The activation duration and a justification are entered.

   

Activating PIM for Azure Resource Roles

1. The Portal is logged into.

   

2. Navigate to the PIM-Module. PIM is entered in the search bar and the search result Microsoft Entra Privileged Identity Management is selected.

   

3. In the PIM-Module, My Roles is selected under Tasks in the left menu.

   

4. Azure Resources is selected in the left menu.

   

5. All roles that can be requested are listed. The Activate button in the last column of the table is selected.

   

6. The activation duration and a justification are entered.