Understanding Azure AD Privileged Access Management (PIM)
Azure Active Directory (AD) Privileged Access Management (PIM) lets you control, monitor, and manage privileged access. The service supports various Azure cloud resources, Azure AD, and Microsoft Online Services like Microsoft Intune and Microsoft 365.
You can use Azure AD PIM to provision users with just-in-time privileged access to your Azure resources, including those within Azure AD. The service lets you oversee and monitor the actions performed by PIM users via their privileged access, keep your applications secure, and meet compliance needs.
Azure AD PIM can also help you limit the number of individuals allowed access to information and resources to minimize the risk of unauthorized access and accidental data loss. However, PIM is not available as part of the free version – the feature requires the P2 premium license.
Related content: Read our guide to Azure AD Premium (coming soon)
Azure AD PIM Use Cases
Azure AD PIM supports the following roles and permissions:
|Privileged Role Administrator permissions||A privileged role can view all privileged roles’ requests and approval history. It can also define users or groups as approver users that can approve requests. Additionally, this role can enable approval for certain roles.|
|Approver permissions||Approver permissions enable users to view pending approvals requests and then either approve or reject any request for role elevation—as a single action or in bulk. Additionally, the role can justify approvals and rejections.|
|Eligible role user permissions||This type of user can send a request to activate a role and view the request’s status. If the activation request is approved, this user can complete their task in Azure AD.|
What Can You Manage with PIM?
Here are some key roles and groups you can manage with PIM:
- Azure AD roles—also known as directory roles. AD has both custom and built-in roles.
- Azure roles—the RBAC roles in Azure that grant access to subscriptions, resources, management groups, and resource groups.
- Privileged access groups—establish just-in-time access for member roles and the owner role within the Azure AD security group. Groups can be used to grant access to multiple privilege mechanisms, including Azure AD roles, Azure Key Vaults, and Intune.
- Users—you can grant users just-in-time access to privileged access groups, Azure roles, and Azure AD roles.
- Groups—these are different from privileged access groups in that they are regular user groups to which PIM can grant special just-in-time access. For this to work, the group must be a newly established cloud group and assignable to roles. For Azure roles, this can be any security group.
Types of Assignments
There are two kinds of assignments—active and eligible. Eligible means that the user does not have the role right now but has the ability to activate it to carry out a privileged task.
It’s possible to create start and end times for all assignment types. There are four possible types of assignments:
- If you set a start and end date, assignments can be “time-bound eligible” or “time-bound active.” When the assignment expires, you may renew or extend it.
- If you do not set a date, assignments are either “permanent eligible” or “permanent active.”
PIM Best Practices
When granting access via PIM, follow these best practices:
- Assign users’ standing access by assigning the role(s) with the least privilege needed to carry out their tasks.
- Minimize the number of global administrators and use specific administrator roles for some scenarios.
- Maintain zero permanently active assignments for roles. The only exception should be break-glass emergency access accounts. These emergency access accounts must have the permanent global administrator role but should be assigned to users only on a temporary, time-bound basis.
Getting Started with Azure AD PIM
Enabling Privileged Identity Management
To enable PIM:
- Access the Azure portal and go to Privileged Identity Management.
- Open Azure AD Directory Roles—Overview, and select Wizard.
To enable secure administrator access:
- Open the wizard and allow it to find the admin roles set up in your tenant.
- Don’t attempt to configure anything at this stage.
- Allow the wizard to activate PIM in your tenant.
- The account you are using at this point will be the initial Security Administrator for your tenant.
- After the wizard completes, it could take time before you can allot permissions to users.
Configuring Roles in Privileged Identity Management
To configure roles in Privileged Identity Management:
- Go to Azure AD Directory Roles—Overview.
- Select Settings > Roles.
- Choose the role you wish to assign to an administrator.
Here are definitions of a few key controls:
- Maximum activation duration—the greatest number of hours a user may request activation. You must keep this to a minimum, but do not set it too low, as this may place users under pressure to carry out administration tasks quickly.
- Notifications—the administrator will get a notification once a role is activated. This notification tells them they can continue with their administrator tasks and lets them know of any unauthorized privilege escalation.
- Multi-factor authentication—you cannot disable this control for high-privilege roles. Every user with a PIM role activated will utilize MFA to activate that role.
- Selected approver—an approver is a user who can approve access requests for the role. Approvers do not necessarily need to have the rights they are providing.
Assigning PIM Roles to a User
To assign a PIM role to an administrator:
- Assign the PIM role to the user’s account in the Office 365 portal.
- Allow that assignment several minutes to replicate.
- Go back to the PIM roles wizard (used to activate PIM).
- In the wizard, choose the first option to discover roles.
- This is where you activate PIM for the user’s Exchange Administrator permissions.
- Choose the assignment from the list.
- Click Next.
- The following screen will check your selection and configure PIM for a user.
Note: once this process is complete, the Exchange Administrator role is revoked from the user’s account. In this way, they become a standard user again. However, they are eligible to become an Exchange Administrator again.
Requesting Activation of PIM Managed Roles
To request activation of PIM-managed roles:
- Users log into the PIM management tool and can see under My roles that they are entitled to request activation.
- Users can select Exchange Administrator to get to the activation screen.
- Users need to verify themselves with multi-factor authentication and then proceed.
- If MFA is not enforced, the user is asked to register.
- After users pass the MFA, they may click Active to ask for rights elevation.
Azure AD Security with Pathlock
Pathlock is the leader in Access Orchestration for business-critical applications. Staying compliant with Sarbanes-Oxley is a critical business requirement, and Pathlock Control helps to automate the compliance process. As a MISA member, Pathlock can bring these capabilities to users of Azure Active Directory, with tight integration between the solutions.
Customers rely on Pathlock to streamline critical processes like fine-grained provisioning, separation of duties, and detailed user access reviews. With Pathlock’s out-of-the-box integration to Azure Active Directory, customers can enjoy the best of both worlds, including:
- Coverage for 140+ applications and counting, with support for key applications like SAP, Oracle, Workday, Dynamics365, Salesforce, and more.
- Perform compliant provisioning at a transaction code or function level into both cloud and on-premise applications.
- Define Separation of Duties (SOD) rules, both within an application and across them, and enforce them to prevent access risks and stay compliant.
- Enrich User Access Reviews (UARs) with fine-grained entitlement details and usage about transactions performed with specific access combinations.
Interested to learn more about the winning combination of Pathlock and Azure Active Directory? Request a demo today to see the solution in action!