When I talk to clients about cloud security, one topic keeps coming up again and again — access. Who has access to what, for how long, and who is actually in control? Most companies have defined roles and processes in Azure, but reality tends to look different — projects end, people change teams, and temporary permissions become permanent.

That is precisely why it makes sense to talk about Azure Privileged Identity Management (PIM) and Access Reviews. Two tools that, from my experience, I consider an absolute foundation for access governance in Azure.

What PIM Is and Why You Should Care

Azure PIM is part of Microsoft Entra ID (formerly Azure Active Directory) and allows you to govern privileged access — administrator and highly sensitive roles.

The core principle is simple: "Nobody should have permanent admin access when they don't currently need it."

Using just-in-time access, a user activates a role only for a set period (e.g. 4 hours) and often requires approval or MFA. Every activation is logged, can be audited, and expires automatically when the time is up.

In practice, this means:

  • you reduce the risk of compromised high-privilege accounts,
  • you have visibility into who activated an administrator role and when,
  • and auditors have a clear record of activities.

Access Reviews: Because Temporary Access Accumulates Over Time

While PIM addresses when and how long a person has access, Access Reviews answer the question of who should have it in the first place. They allow you to set up regular access reviews — for example every 3 months — and ensure people only hold permissions that still make sense.

In practice it works simply: a manager or application owner receives a list of users and confirms who should keep access. If nobody responds, the access is automatically removed.

Licensing and Pricing

Azure PIM is included in the Microsoft Entra ID Premium P2 licence. This licence is also automatically included in Microsoft 365 E5 or Enterprise Mobility + Security (EMS) E5.

Access Reviews are also an Entra ID Premium P2 feature — they are not separately priced but are only available within P2 licences.

Recommendations from Practice

  1. Start with the highest-risk roles. Global Admin, Owner, or User Access Administrator are typically the first roles that should go through PIM.
  2. Enable JIT activation. Admins should receive elevated rights only when they genuinely need them — with a time limit and MFA.
  3. Run Access Reviews quarterly. Every three months is a sensible interval that keeps access tidy without excessive administrative overhead.
  4. Involve managers and application owners. Let the business confirm access — IT saves time and accountability improves.
  5. Audit and report. Entra PIM has excellent exports and API integrations for audit purposes.

Conclusion

PIM and Access Reviews are not just "nice to have" security features — they are practical tools for day-to-day access governance. They help organisations eliminate unnecessary permissions, simplify audits, and above all — keep access truly under control.