Join Pete Zerger for an in-depth discussion in this video What is Azure AD Privileged Identity Management (PIM)?, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] With Azure Active Directory Privileged Identity Management, you can manage, control, and monitor access within your organization with just-in-time privileged access to resources in Azure AD and other Microsoft services, like Office 365 or Microsoft Intune. Organizations want to minimize the number of people who have access to secure information or resources because this reduces the chance of a malicious user getting that access, however, users still need to carry out privileged operations in Azure, Office 365, or maybe other SaaS apps, in order to give users privileged access in Azure AD without monitoring what those users are doing with those privileges resulting in sprawl.
Privileged Identity Management lets you assign users to common administrator roles in Azure and Office 365, including Global Administrator, which has access to all rights and features, Privileged Role Administrator, which manages the Azure AD Privileged Identity Management feature, Billing Administrator, who makes purchases, manages subscriptions, manages tickets, et cetera, or even Password Administrator, resetting other user's passwords, Service Administrators managing service requests, and finally, User Management Administrator, who has permissions to reset passwords and monitor health.
What all of these roles have in common is, they have significant privilege that you don't want in a user's hands 24 hours a day. You can also enable just-in-time access for Office 365 admin roles, like Exchange administrator, SharePoint administrator, and Skype for Business admin. Azure AD Privileged Identity Management helps monitor for and resolve risks, like weak authentication or administrator by seeing which users are Azure AD administrators, enabling on-demand, just-in-time administrative access to Microsoft Online services like Office 365 and Intune.
You get reports about administrator access history and changes in administrator assignments, you receive alerts about access to a privilege role, and you can also require approval to activate that privilege. Just-in-time administrator access in the enterprise has typically been a program that takes a lot of effort and software expense to implement. You can assign a user to an admin role through the Azure AD Classic Portal or Windows PowerShell, and as a result, that user becomes a permanent admin.
Azure AD Privileged Identity Management introduces the concept of eligible admin. It removes barriers to entry for just-in-time and just-enough access with a few minutes of simple configuration. Eligible admins should be users that need privileged access now and then, but not every day. The role is inactive until the user needs access, then they complete an activation process and become an active admin for a predetermined amount of time. You enable the Privileged Identity Management feature with a few clicks in the Azure Portal.
You do need to log in with an account that has Global Administrator privileges to turn that feature on. With Azure AD Privileged Identity Management, you can manage the administrators by adding or removing permanent or eligible administrators to each role. The goal is to reduce permanent admin access and increase eligible users that we can enable for just-in-time access. Enabling the privileged when it's needed and removing it when it's no longer necessary.
Using the Role Settings, you can configure the eligible role activation properties, including the duration of the role activation period, notification settings, the information a user needs to provide during that activation process, including a service ticket or an incident number, and even establishing approval workflow requirements. For certain highly-privileged roles, Microsoft requires multi-factor authentication for heightened protection. To activate the role, an eligible admin requests a time-bound activation for the role.
Activation can be requested using the Activate My Role option in the Azure AD Privileged Identity Management area of the Portal. An admin who wants to activate a role needs to initiate Azure AD Privileged Identity Management in the Portal. Role activation is customizable, so in PIM Settings, we can determine the length of activation and what info that admin needs to provide in order to activate. There are two ways to track how employees and admins are using privileged roles.
The first option is Directory roles audit history. The audit history logs track changes in privileged role assignments and role activation history. The second are access reviews in which we can trigger an audit process to review who is eligible for privilege and who still needs to remain eligible for privilege in the future. The cost and complexity of PIM is very low compared to third-party solutions, so this is really a quick win for reducing your exposure in Azure in the event of compromised credentials and unwanted changes due to permanently assigned admin privileges.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure