Request a demo

Understanding Azure AD Privileged Access Management (PIM)

Shiv Sujir - July 18, 2022

Azure Active Directory (AD) Privileged Access Management (PIM) lets you control, monitor, and manage privileged access. The service supports various Azure cloud resources, Azure AD, and Microsoft Online Services like Microsoft Intune and Microsoft 365. 

You can use Azure AD PIM to provision users with just-in-time privileged access to your Azure resources, including those within Azure AD. The service lets you oversee and monitor the actions performed by PIM users via their privileged access to keep your applications secure and meet compliance needs.

Azure AD PIM can also help you limit the number of individuals allowed access to information and resources to minimize the risk of unauthorized access and accidental data loss. However, PIM is not available as part of the free version – the feature requires the P2 premium license.

Related content: Read our guide to Azure AD Premium

Azure AD PIM Use Cases

Azure AD PIM supports the following roles and permissions:

RolePermissions
Privileged Role Administrator permissionsA privileged role can view all privileged roles’ requests and approval history. It can also define users or groups as approver users that can approve requests. Additionally, this role can enable approval for certain roles.
Approver permissionsApprover permissions enable users to view pending approvals requests and then either approve or reject any request for role elevation—as a single action or in bulk. Additionally, the role can justify approvals and rejections.
Eligible role user permissionsThis type of user can send a request to activate a role and view the request’s status. If the activation request is approved, this user can complete their task in Azure AD.

What Can You Manage with PIM?

Here are some key roles and groups you can manage with PIM:

  • Azure AD roles—also known as directory roles. AD has both custom and built-in roles.
  • Azure roles—the RBAC roles in Azure grant access to subscriptions, resources, management groups, and resource groups.
  • Privileged access groups—establish just-in-time access for member roles and the owner role within the Azure AD security group. Groups can be used to grant access to multiple privilege mechanisms, including Azure AD roles, Azure Key Vaults, and Intune.
  • Users—you can grant users just-in-time access to privileged access groups, Azure roles, and Azure AD roles.
  • Groups—these are different from privileged access groups in that they are regular user groups to which PIM can grant special just-in-time access. For this to work, the group must be a newly established cloud group and assignable to roles. For Azure roles, this can be any security group.

Types of Assignments

There are two kinds of assignments—active and eligible. Eligible means that the user does not have the role right now but has the ability to activate it to carry out a privileged task.

It’s possible to create start and end times for all assignment types. There are four possible types of assignments:

  • If you set a start and end date, assignments can be “time-bound eligible” or “time-bound active.” When the assignment expires, you may renew or extend it.
  • If you do not set a date, assignments are either “permanent eligible” or “permanent active.”

PIM Best Practices

When granting access via PIM, follow these best practices:

  • Assign users’ standing access by assigning the role(s) with the least privilege needed to carry out their tasks.
  • Minimize the number of global administrators and use specific administrator roles for some scenarios.
  • Maintain zero permanently active assignments for roles. The only exception should be break-glass emergency access accounts. These emergency access accounts must have the permanent global administrator role but should be assigned to users only on a temporary, time-bound basis.

Getting Started with Azure AD PIM

Enabling Privileged Identity Management

To enable PIM:

  1. Access the Azure portal and go to Privileged Identity Management.
  2. Open Azure AD Directory Roles—Overview, and select Wizard.

To enable secure administrator access:

  1. Open the Wizard and allow it to find the admin roles setup in your tenant.
  2. Don’t attempt to configure anything at this stage.
  3. Allow the Wizard to activate PIM in your tenant.
  4. The account you are using at this point will be the initial Security Administrator in your tenant.
  5. After the Wizard completes, it could take time before you can allot permissions to users.

Configuring Roles in Privileged Identity Management

To configure roles in Privileged Identity Management:

  1. Go to Azure AD Directory Roles—Overview.
  2. Select Settings > Roles.
  3. Choose the role you wish to assign to an administrator.

Here are definitions of a few key controls:

  • Maximum activation duration—the greatest number of hours a user may request activation. You must keep this to a minimum, but do not set it too low as this may place users under pressure to carry out administration tasks quickly.
  • Notifications—the administrator will get a notification once a role is activated. This notification tells them they can continue with their administrator tasks and lets them know of any unauthorized privilege escalation.
  • Multi-factor authentication—you cannot disable this control for high privilege roles. Every user with a PIM role activated will utilize MFA to activate that role.
  • Selected approver—an approver is a user who can approve access requests for the role. Approvers do not necessarily need to have the rights they are providing.

Assigning PIM Roles to a User

To assign a PIM role to an administrator:

  1. Assign the PIM role to the user’s account in the Office 365 portal.
  2. Allow that assignment several minutes to replicate.
  3. Go back to the PIM roles wizard (used to activate PIM).
  4. In the wizard, choose the first option to discover roles.
  5. This is where you activate PIM for the user’s Exchange Administrator permissions.
  6. Choose the assignment from the list.
  7. Click Next.
  8. The following screen will check your selection and configure PIM for a user.

Note: once this process is complete, the Exchange Administrator role is revoked from the user’s account. In this way, they become a standard user again. However, they are eligible to become an Exchange Administrator again.

Requesting Activation of PIM Managed Roles

To request activation of PIM managed roles:

  1. Users log into the PIM management tool and can see under My Roles that they are entitled to request activation.
  2. Users can select Exchange Administrator to get to the activation screen.
  3. Users need to verify themselves with multi-factor authentication and then proceed.
  4. If MFA is not enforced, the user is asked to register.
  5. After users pass the MFA, they may click Active to ask for rights elevation.

Azure AD Security with Pathlock

Pathlock is the leader in Access Governance for business-critical applications. Staying compliant with Sarbanes-Oxley is a critical business requirement, and Pathlock Control helps to automate the compliance process. As a MISA member, Pathlock can bring these capabilities to users of Azure Active Directory, with tight integration between the solutions.

Customers rely on Pathlock to streamline critical processes like fine-grained provisioning, separation of duties, and detailed user access reviews. With Pathlock’s out-of-the-box integration to Azure Active Directory, customers can enjoy the best of both worlds, including:

  • Coverage for 140+ applications and counting, with support for key applications like SAP, Oracle, Workday, Dynamics365, Salesforce, and more
  • Perform compliant provisioning at a transaction code or function level into both cloud and on-premise applications
  • Define Separation of Duties (SOD) rules, both within an application and across them, and enforce them to prevent access risks and stay compliant
  • Enrich User Access Reviews (UARs) with fine-grained entitlement details and usage about transactions performed with specific access combinations

Interested to learn more about the winning combination of Pathlock and Azure Active Directory? Request a demo today to see the solution in action!

Table of contents