Join Pete Zerger for an in-depth discussion in this video Privileged role activation and management, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] Azure AD Privileged Identity Management simplifies how we manage privileged access to resources in Azure AD and other Microsoft Online services like Office 365 or Microsoft Intune. It enables Just-in-time access and Just-enough access for users to perform tasks that require privilege. If you've been made eligible for an administrative role, that means you can activate the role when you need to perform privileged actions for a limited time.
For example, if you occasionally manage Office 365 features, your organization's privileged role administrators may not make you a permanent global administrator since that role impacts other services too. Instead, they make you eligible for Azure AD roles such as Exchange Online administrator. You can request to activate that role when you need privileges, and then you'll have admin control for a pre-determined period of time. You'll always the Azure AD Privileged Identity Management app in the Azure portal to request role activation even if you're going to operate in another portal like Office 365, or you're going to do bulk administration at PowerShell.
If you don't have access to the Azure AD Privileged Identity Management app in the Azure portal, search for it and pin it to the dashboard so you can get to it easily. You're always going to use the My Roles option when you need to take on a role. You request activation by selecting My Roles navigation in the Azure AD PIM app in the portal. Some roles, like global administrator, actually require multi-factor authentication before you can activate the role. You do only have to authenticate once per session.
Then you enter the reason for the activation request in the text field. Some roles, like security administrator, require a trouble ticket number. All roles require a reason for the activation request to be added to a text field. If the role requires approval to activate, a toast notification will appear briefly in the upper right-hand corner of your browser informing you the request is pending approval. Once the role has been activated, it automatically deactivates when its time limit, its eligible duration, is reached.
If you complete your admin task early enough, you can also deactivate the role manually in the Azure AD PIM app in the Azure portal. In the event you do not or no longer require activation of a role that requires approval, you can actually cancel a pending request at any time. Simply go back to the My Roles navigation option in the PIM app, in the left navigation column. The privileged role administrator, the person responsible for the PIM feature in your organization, should periodically verify users still need role access by kicking off an access review.
As a role eligible user, you might get an email link, or you can go directly to the Azure portal to respond, indicating whether you still require eligibility for that role or your eligibility is no longer necessary. So this is really a quick win for implementing just-in-time access and just-enough access, so really all Azure AD customers should implement privileged role management in Azure AD, always perform regular access reviews to eliminate privilege sprawl, and take the role of least privilege to the next level.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure