- My personal notes about Microsoft SC-300 certification

Identity Provider (IdP)

Is a system or application that creates, manages and stores digital identities (Users, accounts or services). Microsoft Entra ID is an example of Identity Provider.

An Identity Provider verifies user identities using one or more authentication factors such as passwords, fingerprint scans and so on. An Identity Provider is often a trusted provider for use with single-sign-on (SSO) to access other resources in the network.

A trusted identity provider makes it easier for users to authenticate across different platforms, applications, and services from different vendors because the users will sign-in only once using single-sign-on and will not need to reauthenticate if they want to get access to other resources from other vendors.

An Identity provider also makes it great for developers who want to authenticate users to access their applications without creating or storing user identities (user accounts).

Common Identity Protocols

Identity protocols handle authentication, authorization, and identity management. There are several identity protocols, but common ones are:

OpenID Connect (OIDC):
Is an authentication protocol that builds upon OAuth 2.0 (which is an authorization protocol). It uses OAuth2 credentials to provide identity services. Essentially, it allows users to sign in to third-party applications (like Google, Facebook, Apple) without needing to create a separate account for each app.

This means that the third-party service handles the authentication process, relieving the main application from the responsibility of managing user credentials. So OAuth2 provides authorization whereas OpenID Connect provides authentication.

Specifically, a system entity (called an OpenID-Provider) issues JSON-formatted identity tokens to OIDC relying parties (applications) via a RESTful HTTP API.

SAML identity provider:
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between an identity provider and a service provider. SAML is an XML-based markup language for security assertions, which are statements that service providers use to make access-control decisions.

With the help of these Identity protocols such as OpenID Connect and SAML, Single-Sign-Ons (SSO) can be implemented in the network which means to let users sign-in once and get authenticated across all different applications and systems.

Administrative Units

Administrative Units are used to logically group AD resources. For example, you may create one administrative unit for each of your department and then create groups in those AUs.

In terms of access control without using AU and granting a user an administrator role typically provides broad administrative privileges over all users and resources within the tenant, which conflicts with the principle of least privilege.

To address this, administrative units (AUs) are introduced, allowing for more granular delegation of administrative permissions. For example, a helpdesk support technician might only need the ability to reset passwords for certain users.

By using AUs, you can assign specific users or groups to these units and grant custom administrators permissions to specific helpdesk technicians scoped only to those users or groups within the AU.

This ensures that administrators, such as helpdesk technicians, have restricted access limited to the necessary subset of users or resources and not an access over everything in the AD.

Types of Users in Entra ID

  • Cloud identities: these are cloud users meaning users existing in Entra ID which has Entra ID as their source.
  • Directory-synchronized identities: These are users which exist in on-prem active directory and are synchronized with Entra ID via Entra Connect. These users have Windows server AD as their source.
  • Guest Users: These users exist outside Azure. Examples are accounts from other cloud providers and Microsoft accounts such as an Xbox LIVE account. Their source is Invited user. Guests accounts are normally used for third party collaborators and contractors.

Deleting User:
In Entra ID when a user is deleted, their account gets suspended in a 30 days period and after that period the account is permanently deleted. So within 30 days after deletion you have the opportunity to restore the user account that you have deleted.
Go to: Users > Deleted Users > restore a specific User account

Assigning Licences:
You can assign licences such as (Microsoft 365 and so on) to a user or a group. If you wanna assign a licence to several users at the same time, create a group and assign it the licences you want.
Go to: Groups > licences > assign licence

Entra ID Groups

There are two types of groups in Entra namely:

  1. Security Groups:
    Are created to manage user permissions and access control by using security policies. It is the most commonly used type of Entra Groups.

  2. Office 365 Groups:
    Are created to provide collaboration opportunities by giving members access to shared mailbox, calendar, SharePoint, files and so on.

Entra Group Membership Types
While creating groups they could either be dynamic or assigned meaning when creating a group you must choose how to add users manually or dynamically.

  • Assigned Group Type:
    Assign groups mean that you add users manually to the newly created group by clicking on add members.

  • Dynamic Group Type:
    Users are added dynamically based on commands (rules). For example, to create a group for all inactive users, instead of manually searching and adding them one by one, you can create a dynamic group with a rule that automatically includes all inactive users.

    You then apply the policy to the group, which in turn applies to all members. This saves time, effort, and hassle. If you are adding a single user to the group then of course it’s better to use the assign type where you add the user manually by yourself.

Security Defaults

Security defaults are basic identity security settings recommended by Microsoft. When enabled, these recommendations will be automatically enforced in your organization. Administrators and users will be better protected from common identity-related attacks.

If your company is using free tier of Entra ID then you can use security defaults which will enforce MFA and other security measures on users. But if the company has premium Entra ID licence then it is more secure to use conditional access policy instead of security defaults.

By default, security defaults are enabled for newly created Entra ID tenants.

Important:
If your corporate wants to create a conditional access policy then security default must have been disabled first.
So security defaults must always be disabled before creating a conditional access policy.

The settings which are automatically enforced could be MFA, conditional access, blocking legacy authentication protocols and more. If these settings such as MFA and conditional access are not activated then security defaults will recommend to activate them.
Go to: Entra ID > Properties > Security Default

Guest Accounts (External Identities)

Guest accounts in Entra ID are also called external identities. These users do not initially exist in your tenant but are added as guest users when invited, meaning a guest account will be automatically created for a user when the user is invited.

You can add guest users to groups and apply settings to them just like a normal member user of your tenant. This functionality is part of Microsoft’s B2B collaboration.

Guest users have very limited access, restricted to resources explicitly shared with them. They use their own credentials to sign in and access these shared resources. Guest accounts are denoted by #EXT# in their usernames.

A scenario for guest users could be, for example, when you need to have a shared Teams channel between your and another company’s employees. In that case, you will invite the other company users to your tenant as guest users and share the preferred resources with them (such as Teams channel).

To restrict the default access settings of guest users:

Go to:
Entra admin center > Identity > External identities > Overview > External Collaboration Settings

Inviting Guest Users

You can invite partners or employees of other companies to your shared resources (applications, etc.) in two ways:

Individually Inviting a Guest User

Go to:
Entra admin center > Users > Create new user > Invite external identity

Bulk Inviting Guest Users

Go to:
Entra admin center > Users > Bulk Operation > Download CSV
Fill out the CSV file but do not delete or change the first two rows
Upload the CSV file

💡 Tip: Before inviting guest users, make sure your default settings for guest users are properly configured as a security best practice.

Go to:
Entra admin center > Identity > External identities > Overview > External Collaboration Settings

Tasks to Complete in Premium Entra on Work Computer

  1. Set up Entra verifiable credentials
  2. Create dynamic groups
  3. Customize access control and permissions to guest users

Terms of Use

In Entra ID, you can set up Terms of Use which refers to corporate policies that users must read and accept before they can access certain resources. These terms can be customized by the organization and are used to ensure compliance and security.

Example scenarios include:

  • GDPR policy being displayed to users to stay compliant
  • Warning that user actions are recorded in case of misuse

To Enable Terms of Use:

  1. Go to:
    Entra admin center > Protection > Conditional Access Policy > Terms of Use
  2. Create a Terms of Use policy and upload your PDF document
  3. Create a Conditional Access Policy and in the Grant section, select your “Terms of Use” policy

Terms of Use requires a Conditional Access Policy.
While creating Terms of Use, you will be asked to either create a Conditional Access Policy now or later.

When users sign in, they must accept the Terms of Use for the first time. Otherwise, they will not be allowed to sign in.

B2B Direct Connect

B2B Direct Connect requires mutual trust between two Microsoft Entra organizations, enabling access to each other’s resources. Both organizations must enable B2B Direct Connect in their cross-tenant access settings.

Once established, users can access external resources with single sign-on using their home organization’s credentials.

Currently, this capability works with Teams shared channels, allowing users to seamlessly access shared channels without additional sign-ins.

Example Scenario:
If employees from two companies need to collaborate, both companies can enable B2B Direct Connect to access shared Teams channels and communicate directly without needing to sign in to the external company.

Entra Connect Authentication Options

Entra Connect is used to synchronize an on-prem AD with cloud-based Entra ID. There are three main authentication options:

1. Password Hash Synchronization (PHS)

  • Synchronizes password hashes from on-prem AD to Entra ID
  • Users can sign in with the same password locally and in the cloud
  • Easier to set up, lightweight, and less complex
  • Limitation: Changes in on-prem AD are not instantly synchronized to Entra ID

2. Passthrough Authentication

  • Validates user credentials directly against on-prem AD
  • Requires agents installed on domain controllers
  • More secure: enforces security policies and account states in real time
  • Recommendation: Use PHS as a backup in case agents fail

3. Federated Authentication

  • Entra ID hands off authentication to a trusted system like AD FS
  • Supports advanced authentication methods (e.g., smartcards, third-party MFA)
  • Required when Entra ID doesn’t support specific authentication needs natively

Entra Cloud Sync vs Entra Connect

Cloud Sync and Entra Connect both synchronize on-prem AD infrastructure to Microsoft Entra ID, but Cloud Sync is the newer tool.

Cloud Sync:

  • More lightweight (less overhead)
  • Configuration is done in the cloud
  • Simpler to set up and use
  • Supports multi-forest environments
  • Does not support passthrough authentication
  • Less feature-rich than Entra Connect

Multi-Forest Environment:
Occurs when a company merges with or acquires another company, requiring synchronization across multiple AD forests.

Entra Connect:

  • More feature-rich and complex
  • Recommended for organizations needing advanced hybrid AD synchronization features

Entra Connect Health

Used to monitor the health of your on-prem identity infrastructure. Reports failures and issues in the Entra Connect Health Portal.

Helps maintain reliable connections with Microsoft online services and Microsoft 365.

Communication Templates

Microsoft provides predefined communication templates for various purposes:

  • Registering Microsoft Authenticator for MFA
  • MFA requirement notifications
  • Self-service password reset instructions

These templates can be downloaded and emailed to corporate users.

Configuring Multifactor Authentication (MFA)

Enabling MFA can reduce account-related attacks by up to 99% according to Microsoft.

Go to:
Entra ID admin center > Protection > Multifactor Authentication > Configure

MFA Options:

  • SMS
  • Authenticator app
  • Voice call
  • Account lockouts
  • Fraud alerts
  • Blocking suspicious MFA requests

Trusted Locations:
Restrict MFA registration to trusted office locations using Conditional Access Policy:

Choose:
Security info registration > Selected corporate networks

Temporary Access Pass

A temporary code for new users to register MFA securely.

Example:
Create a new user → assign password → issue Temporary Access Pass for MFA registration.

Go to:
Users > Select a user > Authentication methods > Add authentication method

Conditional Access Policy (CA)

Conditional Access means access is granted only when specific conditions are met.

Trigger Conditions:

  • Untrusted networks
  • Specific applications
  • Geographic location
  • Operating systems
  • User risk level

Actions:

  • Require MFA
  • Block access

Configuring Conditional Access Policy

You can create a policy from scratch or use a template.

Go to:
Entra admin center > Protection > Conditional Access Policy > Create new policy

Configuration Steps:

  • Define trigger conditions
  • Choose actions (block or require MFA)
  • Specify applications
  • Define allowed devices or apps

Named Locations

Used to block or allow:

  • Countries
  • Specific IP addresses
  • IP ranges

Example:
Block countries where your company doesn’t operate or IPs linked to Advanced Persistent Threats (APT).

First block in CA policy, then in firewall.

Exclude the Following Users (Accounts)

Always exclude:

  • Break-the-glass accounts (e.g., global admin)
  • Service accounts
  • Service principals

Reason:
To prevent lockout during ransomware or other incidents.

Service Accounts and Service Principals

  • Non-interactive accounts used by backend services
  • Cannot complete MFA programmatically
  • Should be excluded from CA policies

Recommendation:
Replace with managed identities if used in scripts or code.

💡 Tip: CA policies targeting directory roles or groups apply only when a new sign-in token is issued. Existing sessions are unaffected until re-sign-in or session revocation.

Authentication Context

Enables fine-grained access control within cloud apps.

Example:
Require managed device to view or download sensitive SharePoint documents.

Go to:
Conditional Access Policy > Target Resources > Authentication context

Benefit:
Avoids overly restrictive or under-protective policies by targeting specific actions.

Creating an Emergency Account in AD

Emergency accounts (break-the-glass accounts) are vital for disaster recovery.

Steps:

  1. Create a new user in Entra ID
  2. Assign global administrator role
  3. Ensure at least one account is not subject to MFA or CA policies

Best Practices for CA Policy Configuration

Avoid these configurations:

For All Users, All Cloud Apps:

  • Block access
  • Require Hybrid Microsoft Entra domain joined device
  • Require app protection policy (without Intune)

For All Users, All Cloud Apps, All Device Platforms:

  • Block access

💡 Tip: Always double-check exclusions to prevent locking out the entire organization.

Revoking User Sessions

When a user’s session is revoked it will require the user to re-sign-in from all devices.
Simply go to the user page and then click on Revoke Sessions.

Rule of thumb:
Everything that needs to be done on a user will be available in the specific user’s page, and everything that needs to be done on a group will be available in the specific group’s page.

To block a user:

  • Go to the specific user page and disable their account
  • Or create a group and apply a Conditional Access Policy to block users in that group

Steps:

  1. Create a group such as blocked-accounts
  2. Create a Conditional Access Policy for the blocked-accounts group
  3. Add users to it to be blocked

FIDO2 (Fast Identity Online)

FIDO2 is a passwordless authentication method using security keys instead of passwords.
These keys can be stored on USB sticks, Bluetooth, or NFC-supported devices (smart cards).

Security keys are issued certificates for first-time use and authenticate users across corporate resources.
FIDO2 is similar to PKI but differs in nature.

Why FIDO2 is Secure:

  • Eliminates password-related threats
  • No usernames or passwords used
  • Two-factor by design:
    • Factor 1: Access device (PIN or fingerprint)
    • Factor 2: FIDO2 security key

Common Use Cases:
Military, government, and highly sensitive environments

Configuring FIDO2

Step 1:
Activate in:
Entra ID > Protection > Authentication Methods > Authentication Method Policy
Click Enable and choose target users

Step 2:
Manage user registration and FIDO2 security keys:

  1. Visit https://myprofile.microsoft.com
  2. Click on Security Info
  3. If MFA is already registered, user can set up FIDO2 immediately; otherwise, register MFA first

OATH One-Time Password Tokens

In corporate environments, employees use OATH-compliant OTP tokens to access VPNs remotely.

Each employee has:

  • A hardware OTP token
  • Or a software-based OTP generator on their mobile device

Login Process:

  • Enter standard credentials
  • Enter one-time password from OTP token

This two-factor authentication ensures secure access to the corporate network.

Self-Service Password Resets

Allows users to reset or change their passwords without admin or helpdesk support.

Benefits:

  • Increases efficiency
  • Saves helpdesk time and resources

Configuring Self-Service Password Reset

  1. Create a group for users allowed to reset passwords
  2. Go to:
    Entra Admin Center > Protection > Password Reset > Select

User Registration:

  • Visit https://myprofile.microsoft.com
  • A “More information is required” window will appear
  • User registers for self-service password reset
  • After registration, users can reset their password anytime

Devices That Should Not Be Internet-Facing

These devices should never be exposed directly to the internet:

  • Domain controllers
  • Industrial control systems (IoT, OT sensors)
  • Database servers
  • File shares
  • Network-attached storage

Warning:
If these devices generate internet-related traffic or alerts (e.g., brute-force, scanning), investigate immediately.

Entra ID Password Protection

Blocks users from creating weak or banned passwords.

💡 Tip: Accounts created before enabling password protection are unaffected unless passwords are updated.

Enabling Password Protection

  1. Go to:
    Entra Admin Center > Protection > Authentication Methods > Password Protection
  2. Enable the policy by selecting Enforced

Smart Lockouts

Protects users from brute-force and credential stuffing attacks.

Features:

  • Always enabled
  • Locks out users after suspicious behavior (e.g., 10 failed attempts)
  • Tracks both successful and failed logins
  • Considers IP addresses to differentiate legitimate vs. malicious activity

Customizing Smart Lockouts

Go to:
Entra Admin Center > Protection > Authentication Methods > Password Protection
Enter preferred lockout settings

Persistent Browser Session

Allows users to remain signed in after closing and reopening their browser.

Default Behavior:
Users on personal devices see a “Stay signed in?” prompt after successful authentication.

Sign-In Frequency

In Conditional Access (CA) policies, configure session controls to require re-authentication after a set time.

Examples:

  • Default: 90 days
  • Custom: Every 8 hours, every week, etc.

Configuring Sign-In Frequency

Go to:
Conditional Access Policy > Create New Policy > Session > Sign-In Frequency
Choose preferred time period

Identity Protection

Detects, investigates, and remediates identity-related risks.

Two Types of Risks:

  1. User Risks: User may be compromised
  2. Sign-In Risks: Sign-in may be unauthorized

Risk Indicators:

  • Anonymous IP usage
  • Password spray attacks
  • Leaked credentials
  • And more…

Technology Used:

  • Heuristics
  • Machine learning
  • Third-party products

Configuring User Risk Policy

Best configured via Conditional Access Policy:

  1. Create CA Policy > Conditions > User Risks
  2. Set to Medium and High (avoid Low to reduce false positives)
  3. Access Control > Grant > Require MFA and Secure Password Change
  4. Sessions > Sign-In Frequency > Every Time
  5. Test in Report-Only Mode or enable directly

Best Practice for User Risk Policy

Instead of blocking compromised users:

  • Require MFA
  • Require password change

Why:
Allows self-remediation without admin intervention

Requirements for Self-Remediation:

  • Users must be registered for MFA
  • Self-Service Password Reset must be enabled

Otherwise, sign-ins will be blocked.

Configuring Sign-in Risk Policy

Sign-in risk policy is configured the same way as User Risk policy, but the recommendation is to not block sign-ins—rather, require MFA. Blocking sign-ins may prevent real users from signing in, while MFA almost guarantees that the sign-in is authorized.

Steps to Configure Sign-in Risk Policy:

  1. Create a CA policy
    Go to: Conditions > Sign-in Risks

  2. Set risk level to medium and high
    Avoid selecting low to reduce false positives and prevent unnecessary user interruptions.

  3. Access control > Grant > Require MFA
    This ensures that sign-ins are verified securely.

  4. Session controls > Sign-in frequency > Every time
    Forces reauthentication at every sign-in attempt.

  5. Test the policy
    Save it in report-only mode for evaluation or enable it directly for enforcement.

Investigating Risks

Identity Protection provides three types of risk reports that can be analyzed to investigate or manually remediate risks such as changing user passwords, disabling accounts, and more.

1. Risky Sign-ins Reports

All sign-ins which Identity Protection assumes are compromised will end up here.
You can filter the output to swiftly find what you are looking for.

2. Risky User Reports

All users which Identity Protection thinks are compromised will end up here.
These reports also contain risks remediated by users themselves, so both active risks and historical risk logs are included.

3. Risk Detection Reports

With the information provided by the Risk Detection Report, administrators can find:

  • Information about each risk detection including type
  • Other risks triggered at the same time
  • Sign-in attempt location

Access Management and Roles

There are two types of roles that can be used to provide fine-grained access control and permissions to users for accessing resources. These roles are Azure roles and Entra ID roles which are different from each other.

Azure Roles:
Azure roles control permissions to manage Azure resources for example controlling permission to resources, resource groups, subscriptions, management groups and so on. So if you would like to control user access to such resources and workloads then you will use azure RBAC in azure portal.

Entra ID Roles:
Microsoft Entra roles control permissions to manage Microsoft Entra resources such as users, groups, domains, and applications.

Azure Role Based Access Control (RBAC)

RBAC is an authorization system which gives a user access to azure resources that is based on their role. This follows the concept of least privilege and is a great security practice.

To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.

Primary steps to follow when assigning an Azure role:

1- Whom to assign roles?

  • User – Only a single person is needed for the task. You can assign a role to users in other tenants.
  • Group – Use when you need to grant a set of users the same role.
  • Service Principal – Assign a role to a service principal when you want to grant an application access to an Azure resource.
  • Managed Identity – Use the managed identity when you want an application to manage credentials for authentication.

Roles

There are different types of roles that we can assign to users, groups, and managed identities—built-in roles and custom roles.

Built-in Azure Roles

  • Owner – Full access to all resources
  • Contributor – Can create and manage all types of Azure resources, but can’t grant access
  • Reader – Can view the available Azure resources
  • User Access Administrator – Assign access to Azure resources
  • Other task-specific roles – Like Virtual Machine Contributor

Custom Roles in Azure

Custom roles can be created from scratch or by using built-in roles as templates. These roles can be customized to meet specific requirements and assigned to users, groups, or managed identities.

Configuring Azure RBAC

To configure RBAC (Azure Role-Based Access Control):

  1. Go to the resource (workload), resource group, subscription, or management group
  2. Select Access Control (IAM)
  3. Click Add Role Assignment
  4. Select a role from Job Function Roles or Privileged Administrator Roles
  5. Select the member (user/group/identity)
  6. Click Next

Configuring Entra Roles

Assigning Built-in Entra Roles

  1. Go to the user or group view
  2. Select Assigned Roles
  3. Click Add Assignment
  4. Choose a built-in role

Creating and Assigning Custom Entra Roles

  1. Go to Roles and Administrators
  2. Select New Custom Role
  3. Create your custom role
  4. Assign it to a user or group via their page

Managed Identities

When building applications, developers need to store secrets, keys, certificates, and credentials securely. These should not be stored in the application code due to security risks.

Solution:
Use Managed Identities to eliminate the need for developers to manage credentials.

Typical Setup:

  • Admin stores credentials in Azure Key Vault
  • Create a Managed Identity for the application
  • Application accesses Key Vault securely

Use Cases:

  • Virtual machines or web apps accessing Azure Storage
  • Services authenticating to other resources

Managed identities only support Entra ID authentication

Access Control for Key Vaults

Azure Key Vaults securely store application credentials (keys, certificates, secrets). Access must be restricted to authorized users and services.

Two Access Control Methods:

  1. Key Vault Access Policy:
    • Go to the Key Vault resource
    • Select Access Control (IAM) > Vault Access Policy > Create one
  2. RBAC Policy (Recommended):
    • Go to the Key Vault
    • Select Access Control (IAM) > Add Role Assignment
    • Select managed identity or user

💡 Tip: All SaaS applications are listed in the Enterprise Applications section in Entra ID.

Single Sign-On (SSO)

To configure SSO:

  1. Go to:
    Entra ID > Enterprise Applications > Create or Register Application
  2. Click on Single Sign-On
  3. Choose SSO method (SAML or OIDC)
  4. Configure using credentials from the service provider

Entitlement Management

In a corporate environment, users have varying roles, permissions, licenses, and group memberships. These change over time, making it difficult to track access.

Solution:
Use Entitlement Management in Entra ID to group resources and manage access through automated workflows and policies.

Benefits:

  • Users request access through automated workflows
  • Access is granted based on roles and policies
  • Access is revoked automatically when no longer needed

Catalogs

Use catalogs to group resources:

  • Onboarding Catalog: For new employees
  • External Catalog: For partners and collaborators

Resource Groups vs. Catalogs

  • Resource Groups: Infrastructure-level bundling (e.g., WebAppDeployment)
  • Catalogs: Access-level bundling for entitlement management

Access Packages

Bundles of applications managed within a catalog.

Creating a Catalog

  1. Go to:
    Identity and Governance > Entitlement Management > Create Catalog
  2. Click on Access Packages
  3. Add applications
  4. Assign to the newly created catalog

Connected Organizations

Collaborate with external users by adding their identity sources as Connected Organizations.

Benefits:

  • Simplifies access requests for external users
  • Streamlines collaboration with partner organizations

Access Reviews

In a corporate environment, there are hundreds or even thousands of users assigned to different roles, groups, applications, devices, etc. Over time, access to resources may be forgotten—especially when employees change positions or leave the company—yet still retain access to previous resources.

This unmonitored access raises concerns around security and compliance.
Access Reviews help organizations control and audit user access to resources.

Key Features:

  • Self-access reviews: Users review their own access to determine if it’s still needed
  • Delegated reviews: Managers or IT admins review user access periodically or one-time
  • Review outcomes: Access can be revoked or retained based on reviewer decisions

Configuration:

Access Reviews are configured in Identity Governance within the Entra ID admin center.

Types of Access Reviews:

  1. Applications
  2. Teams and Groups
  3. Entra ID Roles and Azure Roles

If a user no longer needs access to these resources, it can be revoked through the review process.

Privileged Identity Management (PIM)

PIM allows organizations to grant temporary elevated privileges to users.

Use Case:

A user needs admin-level access for a specific task but shouldn’t be permanently assigned an admin role.
PIM enables temporary elevation for that task.

Supported Roles:

  • Entra ID Roles: For tasks like user management, Conditional Access, etc.
  • Azure Roles: For managing Azure resources like VMs, workloads, etc.

Configuring PIM for Entra Roles

  1. Go to:
    Entra Admin Center > Identity Governance > Privileged Identity Management > Microsoft Entra Roles > Settings
  2. Configure settings for the role (e.g., duration, MFA)
  3. Go to Assignments and complete the configuration

Configuring PIM for Groups

Sometimes it’s more efficient to configure PIM for groups rather than individual users.

Example:
You have several security analysts from a partner company providing SOC services.

Procedure:

  1. Create a group and assign it a role (e.g., “Security Operator”)
  2. Go to:
    Privileged Identity Management > Enable PIM for this group
  3. Click Add Assignment
  4. Select Member
  5. Click Next

Once enabled, any PIM user who logs in and activates their role will inherit the assigned group role (e.g., Security Operator, User Admin).

💡 Tip: Use the Settings section to configure PIM parameters such as duration, MFA, and more.