PIM is described as a service within Microsoft Entra ID, designed to manage, control, and monitor access to crucial organizational resources, encompassing Microsoft Entra ID, Azure, and other Microsoft Online Services like Microsoft 365 and Microsoft Intune.
In the cybersecurity landscape, Privileged Identity Management (PIM) emerges as a pivotal element, but its effectiveness in managing privileged access is subject to scrutiny. Integral to the broader identity and access management (IAM) framework, PIM's role in upholding least privilege and just-in-time access principles is increasingly questioned amidst evolving digital threats. While theoretically vital for risk mitigation and regulatory compliance, the practical application of PIM, especially in complex cloud and IT environments, often reveals limitations in its ability to adapt to sophisticated cyber threats. This dichotomy between PIM's intended role and its real-world efficacy underscores the necessity for a critical evaluation of how PIM solutions are implemented and integrated into the overall cybersecurity strategy.
In an era where digital identities are as critical as physical keys, grasping the nuances of PIM becomes essential for any organization looking to secure its cloud presence and navigate the challenges of a rapidly evolving digital landscape.
PIM has multiple sides, the first replaces normal administrative role assignment. Before PIM, the common practice involved directly assigning a role to an identity, often coupled with manually setting a reminder to revoke the role after a predetermined period. With PIM this is replaced and expanded to allow the original permanent assignment but also to build real controls around the time-bound permanent roles (a role that is active for the identity for the duration of the time frame provided). This is a great use case, and with proper run-time monitoring of permanent assignments, a great modernization of an old practice.
For this discussion we’ll focus on everyone’s favorite use case and Microsoft’s PIM selling point, just-in-time access and least privilege (eligible roles). It is here admins often start granting IT users with multiple roles, because it’s eligible not active they feel more comfortable doing this. This could be compared to how you would treat AWS SSO, granting different role levels to an identity to control their access in each account. In contrast to AWS, or in the same way an AWS admin may grant many overlapping roles for one account to an identity, they still end up over privileged and with unused overlapping roles and permissions. Some may argue that having multiple roles within one account, whether it's AWS, Azure, or M365, ensures that users only select the permissions they need at the time, thereby preventing mis-clicks and errant configuration changes. However, we contend that if this is a primary concern, it may indicate a need for more user training, and such extensive permissions shouldn't be available to users who are prone to such errors. Once an identity has made it to the ability to select / activate a role, they’ve passed security checks, from an attacker perspective there was little to no benefit at this stage by providing the varying levels as they can simply select the highest.
In all fairness, these views are not surprising, Permiso’s Nathan Eades can be cynical of many security marketing terms, “zero-trust” chief among them. He subscribes to a notion of “selective-trust”, this is often true in most organizations that have different levels of security for different identities or networks. In these environments the strict “zero” is removed in place of usability, for example: not enforcing MFA for a trusted network or only enforcing for high risk applications or heuristically high risk access patterns.
We discuss this because a similar stance can be taken with just-in-time access. To frame the idea, lets look at Microsoft’s “Reasons to Use” section of PIM:
Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of
However, users still need to carry out privileged operations in Microsoft Entra ID, Azure, Microsoft 365, or SaaS apps. Organizations can give users just-in-time privileged access to Azure and Microsoft Entra resources and can oversee what those users are doing with their privileged access.
Consider the default role policy for most roles while using PIM, which many organizations do not change other then to lower the default activation time frame of eligible roles (8 hrs) specifically for the Global Administrator role. Within the default configuration, a role is made eligible to the user and will require a justification, the justification can be anything. For privileged roles MFA is also required but will already be satisfied if required during authentication.
Default PIM Policy of a Privileged Role - Includes Azure MFA on Activation.
Default PIM Policy of non-Privileged Role - No Activation Requirement.
Lets assume we provide Global Administrator as an eligible role to 10 users. On it’s surface this now sounds like a great feature, we’ve provided “just-in-time” access (though we’ve ignored least-privilege because we figure it’s fine, it’s not like it’s permanent), the user does not have the activated role, it must first be activated with justification (and MFA, but this is most likely already satisfied on session start). The justifications are often meaningless, outside of the activation log event, the ability to “oversee what those users are doing” would be better managed through run time analysis and entitlement management.
Reviewing further, Microsoft’s marketing has been extremely successful in pushing PIM, pushing best practices to add measurable security however, has seemingly not been the priority. Any sophisticated attacker targeting Entra ID (formerly Azure AD) today is likely aware that PIM is commonly used, which means they know where to look to activate a role. With minimal effort, they may even review logs to understand how the identity normally justifies access.
Under these circumstances, what was truly gained? Merely a button. In all seriousness, the process has been reduced to a procedural formality, where “just-in-time” access becomes scarcely distinguishable from “all-the-time” access. The activation involves a simple click and often only a basic justification, thereby raising significant questions about the actual security efficacy of this system. While this may sound harsh, consider an on-prem environment 10 years ago. If we told you not to worry because a few users have domain admin access, but they need to click a button and drop a random comment in a textbox to activate it, you'd likely question the strength of such a control or if its a control at all. This scenario is akin to setting up a digital stop sign, more of a nominal checkpoint than a robust barrier, treated as a rolling yield rather than a definitive security measure.
Unfortunately, the just-in-time aspect also appears to negatively affect least-privilege. Admins feel more comfortable assigning identities roles when they are eligible, not active. They likely feel like they are not on the hook anymore for having given that access. The identities are then free to choose what they need (or think they need) at the time. Alternatively, the admins assign more permissive roles since they still need “activated”.
A practical review by Permiso revealed that the number of Global Administrators, attributed to eligible access, frequently exceeds the best practice maximum of 5, sometimes even doubling it. Of the users activating Global Administrator, in a 30 day period, the average of the identities would activate the role 5.5 of the 30 days, often more than once in that day. The top half of identities average closer to 15 of 30 days, suggesting either over privilege or identities that should be granted the role permanently, as their use is overly common.
A review of justifications often provides little meaning, no detail or a lone period being common place. The comments that do give indication of use will often suggest an IAM, Intune, Exchange or another specific use case, in all cases not requiring a Global Administrator.
While these issues highlight inherent weaknesses in the default or most common implementations of PIM, they also open the door to potential enhancements. Strengthening PIM requires not only a re-evaluation of its configuration but also the integration of complementary security measures.
These strategies will allow Privileged Identity Management to be useful beyond theory. Unfortunately, all too often, this control is treated like a checkbox after its purchase, or those charged with utilizing it give too much trust to the default settings. We set out to call out these practices, highlighting their lack of security value, ensuring organizations get the most out of their PIM implementations.
By moving beyond a mere compliance-driven approach and actively re-configuring and enhancing PIM according to these strategies, organizations can transform it from a nominal security measure into a robust, dynamic tool that genuinely protects their digital assets. This proactive stance in cybersecurity management is essential in an era of ever-evolving threats. It empowers organizations not only to meet but exceed security expectations, safeguarding their operations against sophisticated cyber risks in the cloud and beyond.
We strongly encourage everyone reading this to critically evaluate their own security implementations, PIM included. Taking a thorough and questioning approach to your security suite and configurations, asking whether they genuinely enhance security is crucial in creating more secure environments.