PIM (Privileged Identity Management) is a service used for manage and monitor access of the privilegied ressource. This ressource can be Azure AD ressource, Azure ressource or other (Office 365 or Microsoft Intune). It is important to limit the number of people with privileged access. This reduces the attack area of a malicious actor. With this feature, organizations can give users just-in-time (JIT) privileged access to Azure resources and Azure AD. PIM offer this functionnality :
- Just-in-time privileged access for Azure AD or Azure resources
- Assign time-bound access to resources using start and end dates
- Ability to seek approval to activate privileged roles
- Enforce multi-factor authentication to activate any role
- Use justification to understand why users activate
- Notifications when privileged roles are activated
- Download audit history for audit modificatin
For Use Privileged Identity Management, you must acquire one of this licence :
- Azure AD Premium P2
- Enterprise Mobility + Security (EMS) E5
- Microsoft 365 M5
Implementation of Privileged Identity Management
From the Azure portal, click on All services and on Azure AD Privileged Identity Management service on the field.
Azure AD Privileged Identity Management service console appear, click on Consent to PIM.
On the new Windows, click on Verify my Identity.
After validating Identity, click on consent and on yes.
Click on Azure AD Role and on Sign Up PIM for Azure AD Roles
Click on Sign up and on Yes.
It is now possible to manage roles.
My roles display a list of eligible and active roles assigned. He permit to activate any assigned eligible roles. My requests display pending requests to activate eligible role assignments. Approve requests displays a list of requests to activate eligible roles by users in your directory that you are designated to approve.
Azure AD roles Displays a dashboard and settings for privileged role administrators to manage Azure AD role assignments. This dashboard is disabled for anyone who isn’t a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant.
Azure resources Displays a dashboard and settings for privileged role administrators to manage Azure resource role assignments. This dashboard is disabled for anyone who isn’t a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant.
Configure Azure AD roles in Privileged Identity Management
From the Azure AD Privileged Identity Management portal, click Azure AD Roles and then click Wizard.
Click 1 Discover privileged roles on center panel.
Review the list of privileged roles to see which users are permanent or eligible
- Éligible : For role assignment, the user must perform one or more actions to use the role. When he becomes eligible for a role, he can activate it to perform privileged tasks. There is obviously no difference between permanent access and an eligible role assignment.
- Permanent : The permanent assignment consists of assigning a user a privileged right without any notion of duration. The user therefore has this role until an administrator removes this right..
Click Next to select the users you want to make eligible, this user will be used in the next section.
Click Next and then click OK.
Configure Azure AD role settings in Privileged Identity Management
From azure portal, access to PIM portal. Click Azure AD roles then on Settings.
Click Roles on the center panel and configure role as you want (Maximum activation duration, notifications, Incident/Request ticket, Multi-Factor Authentication, Require approval)
Activate Azure AD roles with PIM
From the azure portal, log in with the eligible user account (see previous section) and access the Azure AD Privileged Identity Management portal.
Click Azure AD ROles then on Activate for activate role.
User need activate MFA. Click Verify your identity before proceeding then on Verify Identity.
Configure MFA and next Access the PIM interface again. Activate button is now available. Click on Activate.
Indicate the ativation time as well as the reason. Click on Activate.
Account has been Added on the groups. The user can also see the status.
Azure PIM is now configured.