TL;DR: Azure PIM turns permanent Azure role assignments into time-bound activations, but the article argues that least privilege still depends on scope, role design, and recurring access reviews, according to Sonrai Security. Standing privilege remains the real cloud risk when eligibility becomes a substitute for governance.
NHIMG editorial — based on content published by Sonrai Security: Azure PIM: How to Set Up Just-in-Time Privileged Access
Questions worth separating out
Q: How should security teams implement just-in-time access for privileged cloud roles?
A: Start by identifying which privileged roles are truly needed, then make them eligible instead of permanently active.
Q: When does just-in-time access fail to reduce cloud risk?
A: It fails when the underlying role is still oversized, broadly scoped, or left eligible after the business need has ended.
Q: What do teams get wrong about privileged access management in Azure?
A: They often treat PIM as a complete PAM programme.
Practitioner guidance
- Review privileged assignments before enabling eligibility Document who currently holds directory and resource roles, why they hold them, and whether the scope still matches the work.
- Set activation windows by task duration Use the real duration of the privileged task as the maximum activation period.
- Require approval for high-sensitivity roles Make roles such as Global Administrator and Owner at subscription scope require explicit approval, not just self-activation with MFA and justification.
What's in the full article
Sonrai Security's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step Azure PIM setup decisions for directory roles and resource roles.
- Specific guidance on activation duration, MFA, justification, and approval settings.
- Microsoft Entra role categories and the practical differences between directory and Azure resource scopes.
- The article's discussion of Sonrai's product positioning for teams that want governance beyond PIM.
👉 Read Sonrai Security's guide to setting up just-in-time privileged access in Azure →
Azure PIM and just-in-time access: is standing privilege still the real problem?
Explore further
Azure PIM improves activation control, but it does not solve standing privilege by itself. The article is right to frame the problem as permanent privileged access that no one revisits. Time-bounding a role only matters if the scope is already correct and the activation window is shorter than the attacker’s dwell time. For cloud IAM teams, the real governance question is whether eligibility is being mistaken for least privilege.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 13% of organisations feel extremely prepared for the reality of agentic AI, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: How do you know whether privileged access governance is actually working?
A: Look for reduced standing assignments, shorter activation periods aligned to task duration, and access reviews that routinely remove unused eligibility. If users still hold broad roles long after projects end, the programme is active only on paper. Effective governance shrinks both access scope and access duration.
👉 Read our full editorial: Azure PIM exposes why standing privilege still dominates cloud access