Understanding and Deploying Privileged Identity Management (PIM) in Azure AD
What is it?
PIM is basically a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources of an organization including resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. It provides a way to enable on-demand time-limited access for administrative tasks.
Why use PIM?
An organization always needs to monitor and protect the use of elevated permissions to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that can leak some sensitive information or fall into the wrong hands. We can use PIM in this case and give users just-in-time privileged access to Azure and Azure AD resources and can oversee what those users are doing with their privileged access.
Let's try deploying PIM and see how it works for a user.
Before deploying, we need to plan what and how are we going to give access to resources and to whom. There are 4 types of assignments as below:
- Permanent eligible
- Permanent active
- Time-bound eligible, with specified start and end dates for assignment
- Time-bound active, with specified start and end dates for assignment
Usually, permanent resources are given to users who are a part of the organization for a longer period of time whereas time-bound access is given to people who stay as a part of the organization for a certain period like contractors. For our practice, we will assign a permanent eligible role, which would give them access to the user when needed and be eligible to get admin or privileged access.
To make a user eligible for any Azure AD admin role, follow the instructions as below:
- Sign in to Azure Portal with proper admin roles, either a Global Admin role or Privileged role administrator role. You'll see the welcome screen and on the left pane, click on the All services
- Select Manage and Add Assignment to create a new assignment for roles. For test purposes, we would give the Global Admin role to a few members who have no admin rights as of now. Click Next once done
- Supposing that these members are permanent employees for the organization, we would make them eligible permanently and save the configuration
- We would see notifications popping as below and an email to all the Global Admin and PIM admins would be sent as a step towards protection:
- Now let's sign in to the Azure portal as one of the users that we gave permissions. Again search for PIM in the All resources section. We would, by default land to Roles page where we would see a message that we have eligible admin assignments for this resource and asks us to activate it, we can activate it by clicking there directly or can go to My Roles in the left pane and activate it
- Once in, we would see the list of roles we're eligible for and can activate according to the resources we need to access. Usually, organizations would grant the least permissive roles to not give access more than what is needed to perform the task.
- When we try to activate our role, it will go through an MFA verification.
- After MFA is done, activate the role as per your need, providing a proper justification for the access of the role.
- Once the role is assigned, you can double-check in the M365 Admin Center or by performing the activity the role is designated for
If you're done with the task before time, you can go to the Active assignments tab and Deactivate the assignment - Now, to change any aspect of the role you assigned, you can go to their settings and change what you would like to tweak to restrict it more and protect the organization in a better way:Play around with the settings and help protect the organization. Thanks for reading my blog and happy learning😊
Comments
Post a Comment