Enforcing YubiKeys with Azure Privileged Identity Manager (PIM)

Privileged access management is a critical identity governance component of a cybersecurity risk reduction strategy. Threat actors often target over-privileged accounts to gain unauthorized access, exfiltrate sensitive data, introduce malicious activity, or engage in other forms of malicious behavior. By employing effective privilege management tools, organizations can significantly reduce their attack surface and mitigate the potential damage from security breaches or insider threats. Policies that support the principle of least privilege and restrict access to privileged resources can help to limit the risk of security incidents and preserve the confidentiality, integrity, and availability of critical data and assets.

Azure Active Directory (AAD) Privileged Identity Management (PIM) facilitates the management of privileged access to Azure AD and Azure resources by enforcing a Zero Standing Privilege (ZSP) security model. This model only grants users elevated access privileges when necessary and for a limited time, instead of providing persistent access. With PIM, organizations can grant Just-in-Time (JIT) access to privileged roles, assign temporary or time-bound roles, and require multi-factor authentication for role elevation. These controls help organizations reduce the attack surface and prevent unauthorized access to sensitive data and resources, thereby improving their overall security posture.

To further enhance security, organizations can enforce the use of hardware security keys, such as YubiKeys, for privilege elevation activation with PIM, driven by Conditional Access using Authentication Strengths and Authentication Context. Authentication Strengths can now allow organizations to granularly enforce strong, phishing-resistant multi-factor authentication (MFA) based on applicable threat models, such as requiring YubiKeys using FIDO2 or Certificate-Based Authentication (CBA). This approach provides greater control in strengthening an organization’s security posture.

Step-up authentication is a security measure that requires users to provide additional verification when accessing important resources or performing sensitive tasks. This can include things like multifactor authentication, where users must provide additional information beyond their usual login credentials. With Conditional Access Authentication Context, organizations can enforce strong security measures for sensitive tasks, such as requiring the use of a hardware authenticator like the YubiKey. By using context-based policy enforcement, organizations can ensure that sensitive operations are always verified using the strongest possible authentication methods.

Identity is now the control plane, and enabling MFA is the single most crucial step organizations can take to secure their users. Privileged identities require stricter controls, as they are more vulnerable to identity-related attacks that can compromise information, disrupt operations, and cause reputational damage. Therefore, it is crucial to implement solutions that can securely manage and monitor privileged access across the digital estate. 

With Azure PIM, Conditional Access Authentication Context and Authentication Strengths, organizations can secure privilege elevation by providing JIT access and enforce MFA to activate any privileged role using YubiKeys.

For additional information on Privileged Access Management and what it means for your business, check out our page here. For a step-by-step setup of how to get the Azure PIM solution enabled with your YubiKey, watch our video below.

Talk to our teamTalk to our team

Share this article:


  • Future-proofing authentication: A look at the future of post-quantum cryptographyThe path from passwords to passkeys and beyond In a previous blog I talked about the end of passwords and the rise of passkeys, which promise stronger security and less frustration for both individuals and businesses. The global momentum behind passkeys represents one of the most exciting shifts in authentication history, but realizing their full […]Read more
  • Goodbye master passwords: Dashlane and Yubico enhance credential vault encryption and login with YubiKeysAt Authenticate 2025 this week, the world’s leading experts on modern authentication and securing digital identities gathered, to discuss the future of secure authentication and achieving usable security across the account lifecycle. The message was clear: the future of phishing-resistant authentication is using passkeys for encryption, and the gold standard is device-bound passkeys – YubiKeys. […]Read morecredential vault encryptioncredential vault loginDashlanepartnerpasskey encryptionPRF
  • Piloting Europe’s future ID: Passkeys securing digital walletsOver the last several years, passkeys have become ubiquitous. They are available on every mobile platform, in every leading browser, as part of all major enterprise IAM solutions, and in most major cloud services. Until wwWallet came along, the only place where passkeys hadn’t yet made an impact is in the rapidly developing world of […]Read moredigital identity walletspasskeysSIROSwwWallet
  • We’re excited for what’s to come – meet us in-person to find out whyIt’s been a busy year for our team, filled with exciting company and product updates aimed at better serving our customers and helping them achieve cyber resilience as AI-driven phishing threats continue evolving globally. Between industry award recognitions and key new executive leadership hires to lead Yubico to its next stage of growth and a […]Read more