Azure PIM

21 December 2019 nbonnet Comments 0 Comment

Azure PIM

PIM (Privileged Identity Management) is a service used for manage and monitor access of the privilegied ressource. This ressource can be Azure AD ressource, Azure ressource or other (Office 365 or Microsoft Intune). It is important to limit the number of people with privileged access. This reduces the attack area of a malicious actor. With this feature, organizations can give users just-in-time (JIT) privileged access to Azure resources and Azure AD. PIM offer this functionnality :

Just-in-time privileged access for Azure AD or Azure resources

Assign time-bound access to resources using start and end dates

Ability to seek approval to activate privileged roles

Enforce multi-factor authentication to activate any role

Use justification to understand why users activate

Notifications when privileged roles are activated

Download audit history for audit modificatin

Licence

For Use Privileged Identity Management, you must acquire one of this licence :

Azure AD Premium P2

Enterprise Mobility + Security (EMS) E5

Microsoft 365 M5

Implementation of Privileged Identity Management

From the Azure portal, click on All services and on Azure AD Privileged Identity Management service on the field.

Azure AD Privileged Identity Management service console appear, click on Consent to PIM.

On the new Windows, click on Verify my Identity.

After validating Identity, click on consent and on yes.

Click on Azure AD Role and on Sign Up PIM for Azure AD Roles

Click on Sign up and on Yes.

It is now possible to manage roles.

My roles display a list of eligible and active roles assigned. He permit to activate any assigned eligible roles. My requests display pending requests to activate eligible role assignments. Approve requests displays a list of requests to activate eligible roles by users in your directory that you are designated to approve.

Azure AD roles Displays a dashboard and settings for privileged role administrators to manage Azure AD role assignments. This dashboard is disabled for anyone who isn’t a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant.

Azure resources Displays a dashboard and settings for privileged role administrators to manage Azure resource role assignments. This dashboard is disabled for anyone who isn’t a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant.

Configure Azure AD roles in Privileged Identity Management

From the Azure AD Privileged Identity Management portal, click Azure AD Roles and then click Wizard.

Click 1 Discover privileged roles on center panel.

Review the list of privileged roles to see which users are permanent or eligible

Éligible : For role assignment, the user must perform one or more actions to use the role. When he becomes eligible for a role, he can activate it to perform privileged tasks. There is obviously no difference between permanent access and an eligible role assignment.

Permanent : The permanent assignment consists of assigning a user a privileged right without any notion of duration. The user therefore has this role until an administrator removes this right..

Click Next to select the users you want to make eligible, this user will be used in the next section.

Click Next and then click OK.

Configure Azure AD role settings in Privileged Identity Management

From azure portal, access to PIM portal. Click Azure AD roles then on Settings.

Click Roles on the center panel and configure role as you want (Maximum activation duration, notifications, Incident/Request ticket, Multi-Factor Authentication, Require approval)