We regularly add more roles that require elevated access, so we’ve seen the number of managed users grow slowly but consistently.Privileged Identity Management focuses on the tools and processes we use for a subset of users that have administrative—or elevated—access to on-premises and cloud-hosted data and services at Microsoft.There are a couple of obvious ways we can look at reducing the risks, or attack surface, of elevated access—by reducing the number of accounts or the duration that an account has elevated access. CSEO and the product group are working together to automate the request-access process.Employee submits access request through online form.Employee submits access request through online form.Management reviews request and approves or denies it. Of the roughly 285,000 identities that we currently manage at Microsoft, there are approximately 10,000 on-premises accounts and 400 Azure AD accounts of users who require elevated access to data and services. We can give users privileged access to Azure resources like Subscriptions, and Azure AD. Installation Options We wanted to better manage privileged identities and monitor elevated access for cloud resources.Microsoft doesn’t allow persistent elevated access, so we use the Azure Active Directory (Azure AD) Privileged Identity Management (PIM) feature of just-in-time role activation (JIT) to temporarily elevate the role-based access as needed for a defined time. The application will integrate both the on-premises privileged identity management tools and Azure AD PIM through its APIs.The application will provide a unified view for both cloud and on-premises elevated accounts, along with a single portal for our security administrators to monitor elevated access activity. However, our people still need to carry out privileged operations in Azure AD, Azure, Office 365, and SaaS apps. Online training and multiple levels of approval might be required based on the type of request.User is added to the approved elevated access silo for the requested resource in the web portal that manages on-premises privileged access.User is added to the approved elevated access role for the requested Azure or Microsoft Online Services resource in Azure˚AD PIM.Employee signs in using multifactor authentication and the on-premises JIT tool elevates their privileges for a specific time-bound duration.Employee signs in to the Azure portal to manage their resource using multifactor authentication, and Azure AD PIM elevates their privileges for a specific time-bound duration.Monitoring team tracks elevations using web portal.Monitoring team views elevations in the Azure AD Privileged Management dashboard.Historically, we could assign an employee to an administrative role through the Azure portal or through Windows PowerShell and that employee would be a permanent administrator; their elevated access would remain active in the assigned role.Azure AD PIM introduced the concept of permanent and eligible administrators in Azure AD and Azure. We’re considering required secure admin workstations for Azure AD global administrators.With Azure Active Directory PIM, we manage, control, and monitor access within our organization. And, below there are the tasks we recommend for you for preparing for Azure roles, in order:After setting up Privileged Identity Management, you can learn your way around.For making it easier to open Privileged Identity Management, add a PIM tile to your Azure portal dashboard. In this article we will learn and understand about the process of enabling Privileged Identity Management (PIM) and get started using it.However, using Privileged Identity Management (PIM) helps in managing, controlling, and monitoring access within your Azure Active Directory (Azure AD) organization. The information also helps us determine whether our current elevation time settings are appropriate for the various privileged admin roles.We’re currently using similar processes but different methods and tools to manage privileged identities for Azure-based and on-premises assets or tenants.We’re streamlining and operationalizing our process by customizing and deploying an application that will automate and provide a single management point for the entire workflow for both Azure AD and on-premises identity management.