Azure PIM and just-in-time access: is standing privilege still the real problem?

TL;DR: Azure PIM turns permanent Azure role assignments into time-bound activations, but the article argues that least privilege still depends on scope, role design, and recurring access reviews, according to Sonrai Security. Standing privilege remains the real cloud risk when eligibility becomes a substitute for governance.

NHIMG editorial — based on content published by Sonrai Security: Azure PIM: How to Set Up Just-in-Time Privileged Access

Questions worth separating out

Q: How should security teams implement just-in-time access for privileged cloud roles?

A: Start by identifying which privileged roles are truly needed, then make them eligible instead of permanently active.

Q: When does just-in-time access fail to reduce cloud risk?

A: It fails when the underlying role is still oversized, broadly scoped, or left eligible after the business need has ended.

Q: What do teams get wrong about privileged access management in Azure?

A: They often treat PIM as a complete PAM programme.

Practitioner guidance

• Review privileged assignments before enabling eligibility Document who currently holds directory and resource roles, why they hold them, and whether the scope still matches the work.
• Set activation windows by task duration Use the real duration of the privileged task as the maximum activation period.
• Require approval for high-sensitivity roles Make roles such as Global Administrator and Owner at subscription scope require explicit approval, not just self-activation with MFA and justification.

What's in the full article

Sonrai Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step Azure PIM setup decisions for directory roles and resource roles.
• Specific guidance on activation duration, MFA, justification, and approval settings.
• Microsoft Entra role categories and the practical differences between directory and Azure resource scopes.
• The article's discussion of Sonrai's product positioning for teams that want governance beyond PIM.

👉 Read Sonrai Security's guide to setting up just-in-time privileged access in Azure →

Azure PIM and just-in-time access: is standing privilege still the real problem?

Explore further

View Full Forum →  |  NHI Foundation Course →