	Shaun Liu: Hi, everyone. My name is Shaun Liu 
	and I’m a Program Manager on the Azure Active 
	Directory team focused on Privileged Identity 
	Management. 
	Steve Lieberman: And I’m Steve Lieberman, a 
	Program Manager focused on PIM and other 
	governance capabilities. 
	Shaun: We are excited to be here to introduce PIM 
	and explain how you can use it to secure Privileged 
	Access within your organization. Steve will now explain 
	why an organization would want to even use PIM. 
	Steve: Thanks, Sean. Today, organizations who are 
	migrating their IT infrastructure to the cloud will find that 
	they are increasingly at risk of compromise. This risk is 
	particularly important when it comes to privileged 
	accounts assigned to roles in their organization. These 
	accounts are the ones with the most privileges and can 
	access many resources and data. PIM helps to reduce 
	this risk by enforcing Just in Time and Just Enough Access 
	for these accounts. This means the administrators in the 
	organization who need to use their admin privileges 
	must activate or elevate their privilege in order to use it 
	for a limited period of time. 
	Through this activation process, PIM enables IT pros 
	to enforce policy options such as Multi-Factor 
	Authentication, Request Approval Workflow, and 
	Notifications to further secure these privileged accounts. 
	Shaun will not talk about some of these in a bit more 
	detail. 
	Shaun: Of course. So, the Just in Time aspect, PIM 
	supports this through an activation period. Inside 
	the role setting for a role, IT admin can pick an 
	activation period between zero and 24 hours. What 
	this means is that users who want to come in and 
	activate their role will only get that privilege for this 
	configured period of time before they lose that access. 
	They will need to go through the activation process 
	again if they want to continue to use that role. Then 
	PIM also supports the concept of time-bound 
	assignment. When you make a role assignment outside of 
	PIM, the role assignment is permanent and will last 
	forever unless someone comes in and removes that 
	assignment. PIM allows you to set an end time that 
	for the role assignment itself. This is particularly useful 
	in the guest scenario. If your organization has some 
	guests who are coming into work for two months, you 
	can set the expiration time of the role assignment to 
	two months in the future. Once the time is up, users 
	will automatically be removed from the role 
	assignment whether or not they are deprovisioned 
	from your HR system. 
	Approval process is also something PIM supports when 
	the user comes into activate a role. You can designate 
	one or multiple improvers in the role setting. Once the 
	activation request is submitted, the approval will 
	receive an email to go approve that request inside PIM. 
	It is only upon this approval the user will actually get 
	the role assignment for a limited period of time. Now 
	Steve will dig a little deeper into some other capabilities 
	supported through PIM. 
	Steve: AzureAd Multi-Factor Authentication is another 
	policy option customers can require during activation. 
	If your organization uses AzureAd MFA to ensure that 
	users are who they say they are at sign in, you’re 
	already familiar with this feature. The administrator 
	simply responds to the prompt on their trusted device, 
	phone call, or SMS. Once the administrator has 
	successfully completed this step, they’re good to go. 
	If your organization has MFA enabled at sign in, PIM 
	will not ask the user to perform MFA a second time. 
	Security conscious role administrators commonly 
	require justification when users activate roles, 
	as it helps your internal or external auditors 
	understand why the role was activated. We also 
	support the ability to input a service ticket number 
	from whichever ITSM product your organization 
	uses. 
	Notifications are another useful tool for administrators 
	who want to know the users that get assigned a privilege 
	roles and which roles are getting activated. And lastly, 
	Access Reviews can help role administrators discover 
	who has privileged roles in their organization and if 
	they still need them. This is facilitated by an Access Review 
	commonly known as At the Station campaign. The campaign 
	can be delegated to a group of reviewers or to role 
	members themselves. And when the review is complete, 
	we can remove any assignments that are unnecessary. 
	And don’t worry, everything’s logged, tracked, and 
	auditable. Shaun will now talk more about audit. 
	Shaun: Of course, Steve. We have detailed audit 
	log that will keep track of all the events happening 
	inside PIM. What is even better is that PIM’s audit 
	log got automatically included inside your AzureAd 
	audit log, giving you the ability to funnel these logs 
	into log analytics. We see customers often using this 
	method to set up customized alerts inside the 
	organization whether it is a specific account that 
	is activated or someone makes some change to the 
	role setting, you can always set up an alert for that. 
	I am sure you are super excited to learn about how 
	you can deploy these configurations for admins 
	in your organization. Before we get to that point, 
	Steve can you talk about the types of roles that 
	can be protected by PIM? 
	Steve: Absolutely. Today, PIM supports all roles inside 
	Azure Active Directory, like Global Administrator, 
	Exchange Administrator, etcetera. We also enable 
	you to secure roles for Azure Resources. This is not 
	only the built-in roles and custom roles for a resource 
	like a virtual machine in Azure, but also the roles for 
	resource groups, subscriptions, and management 
	groups. Getting Just in Time access at each level 
	will not only enable access at that scope, it will also 
	allow you to access all the child resources of that 
	scope. 
	Shaun: Thanks, Steve. I hope that was a good 
	overview for PIM. Now that you know the basics 
	on why your organization needs PIM, join us on 
	our next video to view the exact steps necessary in 
	order to deploy PIM for your organization.
