[sfn42]

Thanks for the response! You pretty much just described exactly how it works in the organization I work for, as an outside contractor.

But PIM has a max duration of 8 hours and does not require additional authentication like yubikey, it doesn't even require that I authenticate again with my regular MFA login.

In practice everyone just writes what amounts to nothing as their reason. We literally write our team name.

It's also badly set up so all kinds of bullshit like viewing application logs requires PIM and nobody really knows how it works so we just request all the roles instead of considering which one we need because it's all just a big box of magic that few people actually understand. And we do so pretty much every day because we always need to do something in Azure.

So with the way we use it it still seems pointless to me, even with your explanations. Maybe we get some small benefits from it but for the most part it seems like security posturing to me.