Azure PIM

Azure PIM

Azure PIM

PIM (Privileged Identity Management) is a service used for manage and monitor access of the privilegied ressource. This ressource can be Azure AD ressource, Azure ressource or other (Office 365 or Microsoft Intune). It is important to limit the number of people with privileged access. This reduces the attack area of a malicious actor. With this feature, organizations can give users just-in-time (JIT) privileged access to Azure resources and Azure AD. PIM offer this functionnality :

  • Just-in-time privileged access for Azure AD or Azure resources
  • Assign time-bound access to resources using start and end dates
  • Ability to seek approval to activate privileged roles
  • Enforce multi-factor authentication to activate any role
  • Use justification to understand why users activate
  • Notifications when privileged roles are activated
  • Download audit history for audit modificatin

Licence

For Use Privileged Identity Management, you must acquire one of this licence :

  • Azure AD Premium P2
  • Enterprise Mobility + Security (EMS) E5
  • Microsoft 365 M5

Implementation of Privileged Identity Management

From the Azure portal, click on All services and on Azure AD Privileged Identity Management service on the field.

Azure PIM - access to Azure PIM

Azure AD Privileged Identity Management service console appear, click on Consent to PIM.

Azure PIM - Consent to PIM

On the new Windows, click on Verify my Identity.

Azure PIM - Verify my Identity

After validating Identity, click on consent and on yes.

Azure PIM - Verify Identity is now ok

Click on Azure AD Role and on Sign Up PIM for Azure AD Roles

Sign Up

Click on Sign up and on Yes.

Verify sign up

It is now possible to manage roles.
My roles display a list of eligible and active roles assigned. He permit to activate any assigned eligible roles. My requests display pending requests to activate eligible role assignments. Approve requests displays a list of requests to activate eligible roles by users in your directory that you are designated to approve.
Azure AD roles Displays a dashboard and settings for privileged role administrators to manage Azure AD role assignments. This dashboard is disabled for anyone who isn’t a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant.
Azure resources Displays a dashboard and settings for privileged role administrators to manage Azure resource role assignments. This dashboard is disabled for anyone who isn’t a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire tenant.

Dashboard

Configure Azure AD roles in Privileged Identity Management

From the Azure AD Privileged Identity Management portal, click Azure AD Roles and then click Wizard.

Configure Azure AD Role

Click 1 Discover privileged roles on center panel.

Discover privileged roles

Review the list of privileged roles to see which users are permanent or eligible

  • Éligible : For role assignment, the user must perform one or more actions to use the role. When he becomes eligible for a role, he can activate it to perform privileged tasks. There is obviously no difference between permanent access and an eligible role assignment.
  • Permanent : The permanent assignment consists of assigning a user a privileged right without any notion of duration. The user therefore has this role until an administrator removes this right..
Discover privileged roles

Click Next to select the users you want to make eligible, this user will be used in the next section.

Select user for privileged roles

Click Next and then click OK.

User Added on role

Configure Azure AD role settings in Privileged Identity Management

From azure portal, access to PIM portal. Click Azure AD roles then on Settings.

Configure Settings

Click Roles on the center panel and configure role as you want (Maximum activation duration, notifications, Incident/Request ticket, Multi-Factor Authentication, Require approval)

Configure roles
Configure roles

Activate Azure AD roles with PIM

From the azure portal, log in with the eligible user account (see previous section) and access the Azure AD Privileged Identity Management portal.

Access to PIM console

Click Azure AD ROles then on Activate for activate role.

Activate role

User need activate MFA. Click Verify your identity before proceeding then on Verify Identity.

Verify my identity

Configure MFA and next Access the PIM interface again. Activate button is now available. Click on Activate.

Activate billing administrator

Indicate the ativation time as well as the reason. Click on Activate.

Activate role

Account has been Added on the groups. The user can also see the status.

User has been added
User has been added

Azure PIM is now configured.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.