4.5 Access Reviews and Privileged Identity Management

Access reviews recertify continued need

Access reviews answer one governance question: should this identity still have this access? Access that was appropriate when granted often becomes stale as people change roles, projects close, and guests linger. An access review campaign asks designated reviewers — managers, resource owners, or the users themselves (self-review) — to confirm or deny each person's continued access.

Reviews can target group memberships, access package assignments, application assignments, and Microsoft Entra and Azure role assignments (including PIM-eligible roles). Key automation features the exam may reference:

• Auto-apply results — denied or unreviewed access is automatically removed when the review ends.
• "If reviewers don't respond" — admins choose to leave access unchanged, remove it, or take system recommendations.
• Recommendations — the system suggests removing access for users who have not signed in recently.

Access reviews are part of Entra ID Governance / P2 and directly support least privilege by trimming accumulated access over time.

PIM and just-in-time privileged access

Microsoft Entra Privileged Identity Management (PIM) manages, controls, and monitors access to privileged roles. Standing admin rights are dangerous: an always-on Global Administrator is a permanent high-value target. PIM's answer is just-in-time (JIT) access — administrators hold a role potentially but must activate it only when needed, for a limited time.

When a user activates an eligible role, PIM can require:

Every activation, approval, and deactivation is logged, giving a full audit trail. PIM applies to Entra roles, Azure resource (RBAC) roles, and PIM for Groups. It requires Microsoft Entra ID P2 (or the Governance add-on).

Eligible versus active assignments

The single most-tested PIM concept is the difference between eligible and active assignments:

• An eligible assignment means the user is allowed to use the role but must perform an action — activation (and possibly approval) — before the privilege applies. This delivers just-in-time access.
• An active assignment means the user has the role's privileges permanently, with no activation step required. This is standing access.

Both eligible and active assignments can additionally be permanent or time-bound (with a start/end date). The least-privilege ideal is eligible + time-bound: the admin activates only when needed, and even the eligibility expires on a date.

If a question describes "the admin must request and be approved before gaining the role," that is eligible. "The admin always has the privilege" is active.

Comparing the two governance jobs

Access reviews and PIM both serve least privilege but attack different problems. Access reviews look backward at existing access and ask if it should continue. PIM controls how privileged access is obtained and held, reducing standing power through JIT activation. They are complementary — PIM can even generate access reviews of who is eligible for privileged roles.

• "Recertify whether users still need their group/app access" → access reviews.
• "Reduce always-on admin rights with on-demand, approved, time-limited elevation" → PIM.
• "Require stronger proof at sign-in" → MFA / authentication (not these).
• "Decide access based on network or device context" → Conditional Access.

Both are Entra ID Governance capabilities, not Defender or Purview features.

The PIM activation lifecycle and why JIT matters

Walk through what actually happens with PIM, because the exam likes the sequence. An administrator is assigned eligible for, say, the Global Administrator role with a maximum activation of eight hours and approval required. Day to day, that admin has no Global Administrator privileges — their account is a low-value target. When they genuinely need to perform an admin task, they open PIM, activate the role, complete MFA, type a justification, and submit. A designated approver (a Privileged Role Administrator or another Global Admin) approves the request, and the role becomes active for the time window.

When the window expires, PIM deactivates automatically and the privilege disappears. Every step is recorded in the audit log and can generate alerts.

This just-in-time pattern directly attacks the biggest risk of privileged accounts: standing access. An always-active admin credential, if phished, hands an attacker permanent control. With PIM, even a stolen credential is usually eligible-only — useless without passing activation, MFA, and approval. That is why "reduce standing administrative access" is the single clearest PIM clue on the exam.

PIM also supports access reviews of privileged roles (who should remain eligible), alerts (e.g., "too many Global Admins," "admins not using PIM"), and PIM for Groups to put role-assignable groups under the same JIT model. Remember the licensing gate: PIM and ID Protection both require Microsoft Entra ID P2, whereas plain Conditional Access needs only P1 — a distinction the exam tests directly.

• Eligible → activate → MFA + justification → approval → time-limited active → auto-deactivate.
• JIT removes standing access, shrinking the blast radius of stolen credentials.
• PIM can review eligibility and alert on risky privileged-access patterns.
• PIM and ID Protection need P2; Conditional Access needs P1.