Privileged Identity Management in Azure AD

Just Enough

Protecting Azure Resources

In addition to the obvious AAD and Office 365 roles in AAD, PIM offers the ability to protect privileged Azure resource admins. As for AAD roles, the respective Azure resources have to be added before they can be managed. In the PIM section of the AAD portal, you can do this by selecting Azure resources | Discover resources . PIM manages permissions for Azure resources at the subscription, resource group, or resource level, covering different types of administrators, from subscription administrators to infrastructure admins to owners of individual but critical virtual machines.

The selected resource can now be found in the Azure Resource Overview. The Resource filter drop-down lets you change the view of the resource types shown if you want to configure administrative roles at the resource group or resource level, rather than at the subscription level. The overview displays the available roles to be managed and the administrators who currently own the roles. A click on the resource opens the detailed view in which you define the role settings and authorized users for each role.

The configuration is similar to that of AAD roles. Roles lists all roles that Azure has defined for its resources as an overview, with active and authorized users. The detailed settings for each Azure role are stored in Role settings . To assign the Contributor role for a resource group to a user, click Azure resources in the PIM portal and select the appropriate resource type and target resource.

Once the Azure resource is loaded in the blade, click on Roles and select Contributor and + Add member . Follow the wizard and select the target user or audience for assignment. In Set membership settings , you then define whether the role assignment should be active or authorized. You can also specify start and end dates. For Azure resources, Microsoft specifies that active role assignments shall not last indefinitely. For Contributor , Microsoft defines a maximum period of one month if the role is permanently configured, and three months if authorized .

Below Role settings , you can define the settings precisely. The role settings are configurable per resource group, resource, and subscription. Settings for the Contributor role can therefore differ between resource groups. In addition to the reason for activation and MFA settings that are already known for AAD roles, you can time-constrain the authorized and active role assignments, if necessary.

Licenses

PIM is subject to a special type of license at Microsoft in Azure AD, which enforces and tracks permissions. Users who benefit from PIM must have an Azure AD Premium 2 or Enterprise Mobility Suite E5 license that includes AAD Premium 2. A license must remain available for each user who

  • is subject to an admin role in PIM,
  • can enable admin roles from PIM,
  • approves or rejects requests for admin roles,
  • obtains administrative privileges for Azure resources (JIT or directly), or
  • can view the access reports.

The exact license requirements are best obtained from your Microsoft account team. However, so you can plan to use PIM, it makes sense to be aware of the financial framework and have an estimate of the required licenses. All administrators of AAD and the Office 365, Exchange, SharePoint, Skype, and Teams workloads need a license if you are rolling out the system across the board – as do the security and risk teams who need to check all administrative requests and read the reports.

Checking Authorizations

To ensure that employees continue to use and actually need their administrative authorizations, IT managers should review and confirm role definitions regularly. Access reviews in PIM are designed for this purpose. When administrators request the re-authentication of permissions, either manually defined reviewers need to confirm the correctness of each individual account (Selected users ) or the owners of the accounts do this themselves (Members (self) ).

Access reviews can be performed just once or weekly, monthly, quarterly, or annually. The reviews have an expiry date, after which automated actions are optionally possible: Unconfirmed admins can continue to exercise the privileges or be removed automatically from JIT authorization.

To create a review as the PIM administrator, select Azure AD directory roles in the PIM part of the AAD portal and then select Access reviews . In the overview of the existing reviews click New . After you have entered the name and description for the review, select the frequency and duration of the reviews. Especially for highly privileged roles, a periodic check of the permissions is recommended – quarterly is fine, especially for Global Administrators or Office 365 Service Administrators.

The length of the review indicates how much time the reviewers or members of the roles have for the confirmations. Especially if you want to enforce changes to the membership automatically further down in Upon completion settings , you should allow sufficient time for a review and an allowance for vacations or public holidays. You can select exactly one privileged admin role per review.

In Reviewers , a distinction is made as to whether the review and the approval should be carried out by the role owners (i.e., the admin users themselves) or auditors, which are certain selected individuals. The reviews can therefore be carried out by a third independent person or by the owners themselves.

All activities carried out in PIM are recorded in the audit log and stored for later traceability, including the activation of PIM, changes to role definitions, membership changes in roles, requests to activate authorized role members, information on the reasons for activation and approval, and details of who granted approval.

The audit logs are under Directory roles audit history and Resource audit and can be sorted by role, action, and time. A filter option lets you limit the entries to certain time periods and select only the desired roles from a selection list.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus