AZ-003 Microsoft Azure

Privileged Identity Management (PIM) provides just-in-time elevation.

Privileged Identity Management (PIM) provides just-in-time elevation.

Domain
Microsoft Azure
Area
Entra ID / IAM
Automated / manual
Manual

Risk if it fails

Standing admin rights are always-on attack targets.

If admin power is always switched on, a compromised admin account is instantly catastrophic. JIT means the power is usually off and must be requested.

How Tess tests it

1 test — each concludes only on cited evidence.

Privileged Identity Management (PIM) provides just-in-time elevation.

Manual
Procedure
Confirm eligible (not permanent) assignments for privileged roles via PIM.

Read-only command 

Manual — review Entra ID > PIM > Roles; confirm privileged roles are 'eligible' with approval/MFA.

More in Microsoft Azure

AZ-001 MFA is enforced for all users, especially privileged roles. AZ-002 Number of Global Administrators is limited (typically 2-4). AZ-004 Legacy/basic authentication is blocked. AZ-005 Guest user access and invitations are restricted.

Want Tess to test AZ-003 against your evidence?

Book a demo