TTechclick ⚡ XP 0% All lessons
Microsoft · Identity & Access · Entra IDInteractive · L1 / L2 / L3

Microsoft Entra PIM, Identity Protection & Governance — Just-in-Time Roles, Risk & Access Reviews

Entra has powerful logins and Conditional Access — but who gets to be admin, when, and for how long? This lesson covers the three services that protect and govern identities: Privileged Identity Management (just-in-time admin access), Identity Protection (catching risky users and sign-ins), and ID Governance (access reviews, access packages and joiner-mover-leaver automation). By the end you can explain JIT privileged access and risk-based remediation in an interview.

📅 2026-06-19 · ⏱ 17 min · 5 infographics · live activation demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to protecting and governing identities in Microsoft Entra ID (2026): Privileged Identity Management (eligible vs active, just-in-time activation, approval, time-bound, justification, alerts), Identity Protection (user risk vs sign-in risk, risk detections, risk-based Conditional Access and remediation), and Entra ID Governance (access reviews, entitlement management access packages, lifecycle workflows). Be able to explain JIT privileged access and risk-based remediation.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

The problem

Standing admin + compromised logins = the real risk.

 2

PIM (JIT roles)

Eligible vs active, activate with MFA, time-bound.

 3

Identity Protection

User vs sign-in risk, detections, remediation.

 4

ID Governance

Access reviews, access packages, lifecycle.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. An admin has an 'eligible' PIM role. Can they use it right now?

Answered in PIM (JIT roles).

2. What is the difference between user risk and sign-in risk?

Answered in Identity Protection.

3. What keeps access correct months after it was granted?

Answered in ID Governance.

Most engineers think…

Most people stop at 'turn on MFA and Conditional Access and you're secure'. That misses the two biggest identity risks: admins who hold powerful roles 24/7, and accounts that are quietly compromised.

Real identity security in Entra is three more services working together. Privileged Identity Management (PIM) removes standing admin by making roles eligible — you activate just-in-time, with MFA, a justification, optional approval and an auto-expiring time limit. Identity Protection scores user risk and sign-in risk from real detections and feeds them to risk-based Conditional Access for automatic remediation. ID Governance (access reviews, entitlement management access packages, lifecycle workflows) keeps access correct over time. Knowing how these three fit is what separates a 'we have MFA' answer from a real identity-security answer in an interview.

① The problem — standing admin and compromised logins

Two identity risks survive even after you deploy MFA and Conditional Access. First, standing privilege: if ten people are permanent Global Admins, that is ten accounts an attacker can target, any hour of any day, with full control. Second, compromised accounts: credentials leak, tokens get stolen, and a 'normal' login is actually an attacker.

Microsoft answers both. PIM shrinks standing privilege by making admin roles eligible rather than active. Identity Protection spots the compromised account and triggers remediation. And ID Governance makes sure access does not just pile up forever. These all need a Microsoft Entra ID P2 or Entra ID Governance licence.

Quick check · Q1 of 10 · Understand

Why is standing privileged access a problem even with MFA enabled?

Correct: b. Even with MFA, an always-on admin role is a continuously exposed, high-impact target. PIM shrinks that window by making the role eligible and activated just-in-time, so it isn't sitting active 24/7.
👉 So far: Two risks survive MFA: standing admin (always-on privilege) and compromised accounts. PIM fixes the first, Identity Protection the second, and ID Governance keeps access tidy over time — all need Entra ID P2 / Governance.

② Privileged Identity Management — just-in-time admin

The core PIM idea is one word: eligible. An active assignment means the user always has the role. An eligible assignment means they can hold it but must activate it when needed — that is just-in-time (JIT) access. There is no difference in the power of the role; the difference is that an eligible admin does not carry it around all day.

What activation can demand

When an eligible user activates a role, PIM can require MFA, a typed justification, and approval from a designated approver. The activation is time-bound (commonly 1–8 hours) and then auto-expires — no cleanup needed. PIM alerts and writes an audit log for every activation, and you can make assignments themselves time-bound with start/end dates. The interview line: PIM converts permanent admin into temporary, approved, audited, expiring admin.

Figure 1 — PIM just-in-time activation flow
An eligible admin activates a role on demand — with MFA, justification and approval — and it auto-expires.PIM just-in-time activation flowEligiblerole assigned, notactiveActivateMFA + justificationApproveapprover signs offActivetime-bound useExpireauto-revoke + audit
An eligible admin activates a role on demand — with MFA, justification and approval — and it auto-expires.
Figure 2 — Eligible vs active assignment
Same role power; the difference is whether the user carries it all day or activates it just-in-time.Eligible vs active assignmentActive (standing)Role is always onNo activation stepPermanent attack surfaceFine only for break-glassEligible (JIT)Must activate to useMFA + justification + approvalTime-bound, auto-expiresDefault for daily admins
Same role power; the difference is whether the user carries it all day or activates it just-in-time.
🟢
Eligible assignment
tap to flip

A role the user CAN hold but must activate just-in-time. Same power as active — but not standing, so far less attack surface.

🔓
Activation
tap to flip

The act of switching on an eligible role: MFA + justification + (optional) approval, time-bound, auto-expiring, fully audited.

⚠️
User vs sign-in risk
tap to flip

User risk = the account may be compromised (e.g. leaked credentials). Sign-in risk = this login looks malicious (e.g. atypical travel).

🔁
Access review
tap to flip

A scheduled check asking owners or users 'still need this?' — can auto-remove access nobody confirms, keeping entitlements tidy.

Keep two break-glass accounts standing

Make daily admins eligible in PIM, but keep at least two emergency 'break-glass' accounts as permanent active and excluded from risk policies. If a misconfiguration or outage blocks activation, those accounts let you back in. Store their credentials securely and monitor them closely.

Quick check · Q2 of 10 · Remember

What does an 'eligible' PIM role assignment mean?

Correct: b. Eligible = the user must perform actions (MFA, justification, sometimes approval) to activate the role for a time-bound window. Active = the role is always on with no activation step.
👉 So far: PIM: eligible = activate just-in-time (MFA + justification + approval, time-bound, auto-expires, audited); active = standing. Convert daily admins to eligible, keep only break-glass standing.

③ Identity Protection — risk and risk-based remediation

Identity Protection answers 'is this identity in trouble?' with two risk scores. User risk = probability the account is compromised (e.g. leaked credentials). Sign-in risk = probability this particular login is malicious (e.g. atypical travel, anonymous IP, password spray, anomalous token). Each fires at a risk level — low, medium or high.

The power move is feeding those levels into risk-based Conditional Access. Microsoft's recommended pattern: require MFA when sign-in risk is medium or high, and require a secure password change / risk remediation when user risk is high. The best part is self-remediation — a legitimate user passes MFA or changes their password and clears their own risk, no admin ticket. Investigate from three reports: risk detections, risky sign-ins and risky users.

Figure 3 — From detection to risk to action
Detections roll up into a risk level, which a risk-based policy turns into an access decision.From detection to risk to actionRisk detectionLeaked creds, atypical travel, sprayRisk levelLow / Medium / High on user or sign-inRisk-based CA policyMFA at sign-in risk, password change at user riskRemediationUser self-remediates or admin unblocks
Detections roll up into a risk level, which a risk-based policy turns into an access decision.
Don't confuse user risk with sign-in risk

They are different scores. User risk is about the account being compromised (leaked credentials → require a secure password change). Sign-in risk is about one suspicious login (atypical travel → require MFA). Blur them in an interview and you'll give the wrong remediation. Map: sign-in risk → MFA; user risk → password change.

▶ Watch an admin get just-in-time access — then a risky sign-in get caught

How PIM activation and Identity Protection play out end-to-end. Press Play for the healthy path, then Break it to see the classic failure.

① EligiblePriya is eligible (not active) for the User Administrator role and needs to fix an account.
② ActivateShe activates in PIM: passes MFA, types a justification, and an approver signs off for a 4-hour window.
③ Work + expireShe does the task with the role; after 4 hours it auto-expires and the activation is written to the audit log.
④ Risk caughtLater, a sign-in from an anonymous IP is scored as risky; risk-based Conditional Access prompts MFA and the user self-remediates.
Press Play to step through the healthy JIT + risk path. Then press Break it.
Quick check · Q3 of 10 · Apply

Identity Protection flags a user's sign-in as medium risk (unfamiliar location). Per Microsoft's recommended pattern, what should a risk-based policy do?

Correct: c. Microsoft recommends requiring MFA when sign-in risk is medium or high. A successful MFA self-remediates the sign-in risk — no admin ticket — while still stopping an attacker who can't pass MFA.
👉 So far: User risk = account compromised (e.g. leaked credentials → password change). Sign-in risk = login suspicious (e.g. atypical travel → MFA). Risk-based Conditional Access lets users self-remediate at the right risk level.

④ Entra ID Governance — keeping access right over time

Granting access is easy; keeping it correct is the hard part. ID Governance has three tools. Access reviews ask owners or users on a schedule 'does this person still need this?' and can auto-remove access if no one confirms. Entitlement management bundles groups, apps and SharePoint sites into access packages kept in catalogs, with request-and-approve workflows and expiry built in.

Joiner, mover, leaver

Lifecycle workflows automate the joiner-mover-leaver (JML) cycle: on a hire date, generate a temporary access pass and add the new joiner to groups; on a department move, adjust access; on the leave date, disable the account, strip licences and remove group and access-package assignments. Automated leaver offboarding is the single biggest win — it closes the 'ex-employee still has access' gap. ID Governance answers four audit questions: who has access, what they do with it, who controls it, and can an auditor prove it.

Figure 4 — Three services, one protected identity
PIM, Identity Protection and ID Governance each guard a different part of the identity lifecycle.Three services, one protected identityEntra identityprotect + governPIM (JIT roles)User riskSign-in riskAccess reviewsAccess packagesLifecycle workflows
PIM, Identity Protection and ID Governance each guard a different part of the identity lifecycle.
Figure 5 — Joiner-mover-leaver automation
Lifecycle workflows run scheduled tasks across the employee lifecycle, including clean offboarding.Joiner-mover-leaver automationJoinerTAP + add to groupsMoveradjust accessReviewrecertify on scheduleLeaverdisable + strip access
Lifecycle workflows run scheduled tasks across the employee lifecycle, including clean offboarding.

Priya, an IT admin at a Pune fintech, faces this

An auditor finds three former contractors still have active access to a customer-data app, and four staff are permanent Global Admins 'just in case'.

Likely cause

Access was granted manually and never expired; admin roles were assigned as standing 'active', and there is no offboarding automation.

Diagnosis

Entra admin center shows permanent Global Admin assignments in PIM and stale assignments with no review history in the app's group.

Entra ID ▸ Identity Governance ▸ PIM (roles) + Access reviews + Lifecycle workflows
Fix

Convert the daily admins to PIM eligible (activate JIT with MFA + approval), bundle the app into an access package with expiry, schedule a quarterly access review, and add a leaver lifecycle workflow to strip access on the leave date.

Verify

Re-run the review: the three contractors are auto-removed, Global Admin shows zero standing assignments outside break-glass, and the next leaver is offboarded automatically.

Prove governance from the review, not a hunch

Never tell an auditor 'access should be fine'. Show the access review results, the access-package approval trail, and the PIM activation audit log — who activated which role, when, with what justification. That evidence answers compliance questions without guessing.

Quick check · Q4 of 10 · Analyze

An employee left the company two months ago but still has access to a finance app. Which ID Governance feature most directly prevents this?

Correct: a. Lifecycle workflows automate joiner-mover-leaver. A scheduled leaver workflow disables the account, removes licences and removes group/access-package assignments on the leave date — closing the 'ex-employee still has access' gap. Access reviews catch leftovers too.
👉 So far: ID Governance: access reviews recertify access, access packages bundle request-and-approve with expiry, and lifecycle workflows automate joiner-mover-leaver — especially clean leaver offboarding.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which PIM concept means a user must activate a role before using it?

Correct: b. An eligible assignment requires the user to activate (just-in-time) before the role is usable; an active assignment is always on. Eligible is what removes standing privilege.
Q6 · Understand

Leaked credentials detection most directly raises which score?

Correct: b. Leaked credentials indicate the account itself is compromised, so it drives user risk — and it's always treated as High. Sign-in risk is about a specific login (e.g. atypical travel).
Q7 · Apply

Which detection most directly raises sign-in risk rather than user risk?

Correct: c. Atypical travel is a property of a specific login, so it drives sign-in risk. Leaked credentials, by contrast, indicate the account itself is compromised and drive user risk.
Q8 · Analyze

Why does risk-based Conditional Access reduce help-desk load?

Correct: d. Self-remediation lets a genuine user prove identity (MFA) or do a secure password change to clear risk automatically — no admin intervention — while attackers who can't pass are blocked.
Q9 · Evaluate

An interviewer asks how to ensure access doesn't pile up forever. Best answer?

Correct: a. ID Governance is built for exactly this: scheduled access reviews recertify or auto-remove access, access packages expire, and leaver workflows strip access automatically.
Q10 · Evaluate

What is the safest way to start enforcing risk-based policies in production?

Correct: d. Report-only lets you see impact before enforcing; users must be MFA-registered or they'll be blocked and need an admin. Remediating at High user risk and medium/high sign-in risk balances security with productivity.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is making an admin role 'eligible' in PIM safer than leaving it 'active'? Then compare with the expert version.

Expert version: Because an eligible role isn't standing privilege — the admin doesn't carry it around all day, so there's no permanent high-value target for an attacker. To use it they must activate just-in-time, passing MFA, giving a justification and often getting approval, for a time-bound window that auto-expires and is fully audited. The role's power is identical to active, but it only exists for the minutes it's actually needed, which shrinks the attack surface, forces approvals and gives you an audit trail of exactly who used privilege, when and why.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Privileged Identity Management (PIM)
Entra service that provides just-in-time, time-bound, approval-based activation of privileged roles to remove standing admin.
Eligible vs active assignment
Eligible = the user must activate the role just-in-time; active = the role is always on. Same power, different persistence.
Just-in-time (JIT) activation
Granting privileged access only when needed, for a limited window, after MFA, justification and optional approval — then auto-expiring.
User risk
Identity Protection score for how likely the account is compromised (e.g. leaked credentials, always High).
Sign-in risk
Identity Protection score for how likely a specific login is malicious (e.g. atypical travel, anonymous IP, password spray).
Risk-based Conditional Access
A policy that uses the user/sign-in risk level to require MFA or a password change, enabling self-remediation.
Access review
A scheduled recertification asking owners or users whether access is still needed, with optional auto-removal.
Entitlement management / access package
Bundles of groups, apps and sites (in catalogs) that users request, get approved for, and that expire automatically.
Lifecycle workflows
Automation of joiner-mover-leaver tasks — onboarding credentials, group changes, and offboarding that strips access on the leave date.

📚 Sources

  1. Microsoft Learn — What is Microsoft Entra Privileged Identity Management? (overview, terminology: eligible/active, JIT). learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-configure
  2. Microsoft Learn — Plan a Privileged Identity Management deployment (activation: MFA, approval, justification, time-bound, alerts, audit). learn.microsoft.com/entra/id-governance/privileged-identity-management/pim-deployment-plan
  3. Microsoft Learn — What is Microsoft Entra ID Protection? (risk detections, risky users/sign-ins reports). learn.microsoft.com/entra/id-protection/overview-identity-protection
  4. Microsoft Learn — Risk-based access policies & Configure and enable risk policies (user vs sign-in risk, recommended remediation). learn.microsoft.com/entra/id-protection/concept-identity-protection-policies
  5. Microsoft Learn — What are risk detections? / Risk levels (leaked credentials, atypical travel, password spray; low/medium/high). learn.microsoft.com/entra/id-protection/concept-identity-protection-risks
  6. Microsoft Learn — What is Microsoft Entra ID Governance? (access reviews, entitlement management access packages, lifecycle workflows). learn.microsoft.com/entra/id-governance/identity-governance-overview

What's next?

Got privilege and risk under control? PIM and Identity Protection lean on the everyday access layer — go deep next on Conditional Access policies and MFA, where risk signals turn into the actual grant/block/MFA decision at sign-in.

Next · All interview lessons → Practice on exam.techclick.in →