Setting up Azure AD Privileged Identity Management

Terminology

Before we start, if you lack knowledge about Azure terminology from this blog, feel free to visit this page, where we try to add terminology from time to time.

Azure AD Privileged Identity Management, what is it?

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune. 

Important note

Never include your emergency access accounts in PIM.

Prerequisites

To use Azure AD Privileged Identity Management, you must have one of the following licenses:

  • Azure AD Premium P2
  • Enterprise Mobility + Security (EMS) E5
Important note

 

Working with Privileged Identity Management from an administrative perspective

Configure Azure AD role assignments

privileged role administrator can customize Privileged Identity Management (PIM) in their Azure Active Directory (Azure AD) organization, including changing the experience for a user who is activating an eligible role assignment. For information on the PIM events that trigger notifications and which administrators receive them, see Email notifications in Privileged Identity Management.

Sign in to Azure portal with a user in the Privileged Role Administrator role.

Open Azure AD Privileged Identity management > Azure AD roles > Settings

 

Select the role that you want to configure, in this example we chose Intune Administrator:

Select Edit to open the Role settings page.

Select Activation settings

  • Set how long you want an activation to be active, 1-24 hours
  • Set if you want to require MFA for extra security during these steps
  • Set if you require the users to give a justification why they need the elevation
  • Set if you require ticket information before the user can get elevated access
  • Set if you need someone to approve the elevation or if it can be done automatically
  • Set who can approve the elevation activation

In our example we selected the following:

Allow permanent eligible assignment means that the added users can elevate as many times as needed until the access is removed for them.

Setup who gets info emails from the PIM system and on what actions.

Of course, you also have to plan for AD Groups and prepare the approval organization etc. for the role assignments, but that is not in scope for this blog post.

Assign roles

  • Sign in to Azure portal with a user that is a member of the Privileged role administrator role.
  • Open Azure AD Privileged Identity Management.
  • Select Azure AD Roles.
  • Select Roles to see the list of roles for Azure AD permissions.
  • Select Add assignments to open the Add assignments page.
  • Select Select a role to open the Select a role page.
  • Select a role you want to assign, select a member to whom you want to assign the role, and then select Next.

In the Assignment type list on the Membership settings pane, select Eligible or Active.

If needed, add a start and end date, otherwise it will be a permanently eligible role.

 

Working with Privileged Identity Management from a user perspective

Log on to Azure portal with a user account that is eligible for an administrative role.

Start Azure AD Privileged Identity Management application.

Azure AD Privileged Identity Management

Under My roles, you can see the roles that are available for your account to elevate to.

  • Eligible assignments is where you can see your available roles
    In this example the user has one permanently eligible role and one that expires on a specific date.
Eligible assignments
  • Active assignments is where you can see your temporary and permanently active roles and also deactivate roles if you need to.
    In this example the user has one permanently active role and one temporary.
Active assignments
  • Expired assignments is where you can see the history of your assignments.
Expired assignments

Select the role you want to activate, and click on Activate.

If your organization selected Require justification on activation in their setup, then you are required to fill in some info in this part.

If your organization selected Require approval when they set the role up, it needs to be approved by an approver before you get the access, otherwise it will be given automatically.

The Approval request will look something like this for the approver.

If the approver denies your request you will receive a mail similar to this.

Denial step from the approver’s side will look similar to this.

If your request gets approved, you will receive an email similar to this.

Approval step from the approvers side will look similar to this.

 

Once your role has been elevated, you can login and start working as normal (in the example in Intune).

If it’s a permission that is granted for a longer time, then you will get a reminder email when the expiration time is nearing, and can extend it if needed.

Blog post written by Jens Lagnekvist.

<Mandatory legal text>

This information is provided as is with no warranties, confers no rights and is not supported by the writers, or Brickstone IT.

</Mandatory legal text>

Copyright 2024 © All rights Reserved. Hemsida Webbdesign Interwebsite Webbyrå