Azure Landing Zones and PIM

Let’s continue our series on Azure Landing Zones. In this post, let’s explore some thoughts on how to implement privileged identity management (PIM). If you want to follow along, here are links to the previous posts:

What is PIM?

Azure Active Directory Privileged Identity Management (PIM) provides enhanced security for enterprise-scale Azure landing zone deployments by enforcing the principles of least privileged access and authorization best practices. With PIM, administrators can restrict access to critical resources and limit the amount of time users have elevated permissions.

PIM allows administrators to define, manage, and monitor the use of privileged identities within their organization. The tool offers features such as time-bound access, approval workflows, and just-in-time access, which helps to mitigate the risk of a security breach caused by an insider attack or a compromised account.

In contrast to traditional Role-Based Access Control (RBAC) approaches, PIM offers a more granular and dynamic way of managing privileges. RBAC assigns roles to users based on their job function, but does not take into account the specific tasks that users need to perform. PIM, on the other hand, allows administrators to assign privileges only for the specific resources and tasks that users need to access, reducing the risk of accidental or malicious misuse of privileged access.

Why PIM?

PIM is highly beneficial when doing an enterprise-scale Azure deployment because it helps to ensure the security and compliance of the deployment. The following are some of the key benefits of using PIM during an enterprise-scale Azure deployment:

  • Least Privileged Access: PIM enforces the principle of least privilege, which means that users are only granted the minimum permissions they need to perform their job tasks. This reduces the risk of a security breach caused by a user with elevated privileges.

  • Authorization Best Practices: PIM follows authorization best practices, such as time-bound access and approval workflows, to minimize the risk of a security breach caused by a compromised account.

  • Improved Visibility: PIM provides administrators with visibility into who has been granted elevated privileges and when they were granted. This makes it easier to track and monitor access to critical resources.

  • Enhanced Compliance: PIM helps organizations to meet regulatory and industry standards, such as PCI DSS, by ensuring that sensitive resources are only accessible by users who have been granted the necessary permissions.

  • Better Risk Management: By enforcing least privilege and authorization best practices, PIM helps to mitigate the risk of security breaches, making it easier for organizations to manage risk and maintain the security of their enterprise-scale Azure deployment.

My Thoughts

PIM is a pretty complex topic, so I’ll just rapid fire some thoughts here.

Firstly, I prefer to use AAD PIM Groups rather than the Azure Roles feature. It seems like a better/cleaner path and also allows for plugging in other PIM solutions in the future (if you plan on using random 3rd parties).

Secondly, I like the idea of granting the same Azure role at different levels of the hierarchy to different AAD groups. This way, administrators can not only chose the amount of permission they need, but they can also chose where in the hierarchy it is applied. If they know they only need to access a certain subscription to perform their work, they can limit their access appropriately by only requesting the appropriate AAD Group. While this strategy may lead to many more AAD groups being created, I think the benefits are worth it.


In short, Azure makes using PIM pretty simple, and it should really be turned on everywhere, for every use case. You can make the transition easy by not requiring “approvals” to assume the correct roles, and you can still take advantage of all the other benefits it provides.


About Shamir Charania

Shamir Charania, a seasoned cloud expert, possesses in-depth expertise in Amazon Web Services (AWS) and Microsoft Azure, complemented by his six-year tenure as a Microsoft MVP in Azure. At Keep Secure, Shamir provides strategic cloud guidance, with senior architecture-level decision-making to having the technical chops to back it all up. With a strong emphasis on cybersecurity, he develops robust global cloud strategies prioritizing data protection and resilience. Leveraging complexity theory, Shamir delivers innovative and elegant solutions to address complex requirements while driving business growth, positioning himself as a driving force in cloud transformation for organizations in the digital age.

Share This Article