Join Pete Zerger for an in-depth discussion in this video Managing privileged role membership, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] With Azure active directory, a global administrator, or company administrator, can update which users are permanently assigned to roles in Azure AD. We can do this with PowerShell commandlets or we can do this in the Azure portal. Azure AD privileged identity management allows privileged role administrators to make permanent role assignments or to simply make users eligible for admin roles. An eligible admin can activate the role when they need it and their permissions expire once they're done.
We can manage those roles with PIM in the Azure portal. So, I'll browse to portal.azure.com. I'll supply my kinetECO Energy Azure AD user and password and then, I will launch the privileged identify management dashboard. You see I have this pinned to my desktop, you can find that through more services and searching if you've not yet pinned PIM to your desktop.
And, in the PIM dashboard here, under manage, I will select Azure AD roles and under manage, I will select then settings. So, now I can go into roles over here in the right hand side of the portal and can figure the settings associated with the activation process. So, let's look at security administrator but, before I do, notice that the roles we're looking at here are not just core Azure AD roles. We also see roles related to Office 365 and other Microsoft services and applications.
So, I'll grab security administrator and you'll notice here that I have a number of settings we can use to control that user experience and activation. So, we have the activation duration in hours and there's a slider or you can simply fill in the value in the box to the right. I can enable notification notifying my other administrator when a role's been activated. I can require an incident or request ticket for activation.
Multi-factor you see is required here. There's no choice in the matter and really, multi-factor should be a perquisite for all of your roles that you're managing with privileged identify management. And then, you'll notice here, we do also have the option to require approval in order to activate this role. When we enable this option, when the user requests activation they'll get a notice, a toast notification, telling them that they are pending approval. I'll save my settings and now those settings are updated and that role is available.
When I come back to my dashboard, when I click on Azure AD directory roles, instead of clicking settings this time I'll simply select roles, I can now add users to the role. So, when I add a user here, I'll select the role. So, security administrator in this case. And then, I can search for the user whom I would like to add to the role.
I save my changes. And now, let's look at this from the user's perspective. So, Adam has been added to that role. So, I'll view the Azure portal logged in as Adam, Adam Wallen here and Adam has already pinned privileged identify management to his start menu and we'll go to my roles. So, now, Adam can see the roles for which he's eligible. Let's go ahead and select the security administrator option and remember, it requires multi-factor authentication.
So, you'll notice that Adam has been prompted that he must verify his identity before preceding. And here, we have the note that multi factor is required. He's going to click verify my identity. And, in fact, he will be prompted for that second factor of authentication and he has to supply that code that was sent to his phone in this case. And only now that he's met the multi factor requirement can Adam activate that role and that'll be activated for the duration specified in the role settings and we always have to provide a reason for role activation.
So, I provide the justification and there was no approval required if you remember what we just did. So, activation is successful immediately and the toast notification tells us that our activation is in fact successful. And, incidentally, as your users are requesting those activation, you can not only receive email notifications but, you can also view those alerts in the PIM dashboard and also down in the directory roles audit history where you can see a record of those changes.
You can remove users from eligible role assignments in the same place you added them using the remove option. So, simply browsing back to Azure AD directory roles and roles and we can take the users out of the roles right here in the same location using that remove option. Always make sure there's at least one user who is a permanent global administrator. We don't want to lock ourselves out of our Azure active directory or our portal. At the end of the day, privilege role management is about just in time access and just enough access adding another layer of diligence to your defense in depth strategy.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure