This is part of section two for AZ-500 exam preparation.
Table of Contents
First we have to see what PIM is?
Privileged Identity Management (PIM) provides a time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to important resources. These resources include resources in Azure Active Directory (Azure AD), Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.
PIM enables you to allow a specific set of actions at a particular scope. Key features include:
- Provide just-in-time privileged access to resources
- Assign eligibility for membership or ownership of privileged access groups
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multifactor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
How to enable PIM
There are two types of assignment – eligible and active. If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks.
You can also set a start and end time for each type of assignment. This addition gives you four possible types of assignments:
- Permanent eligible
- Permanent active
- Time-bound eligible, with specified start and end dates for assignment
- Time-bound active, with specified start and end dates for assignment
In case the role expires, you can extend or renew these assignments.
To use Privileged Identity Management, you must have one of the following licenses:
- Azure AD Premium P2
- Enterprise Mobility + Security (EMS) E5
So now when it’s enabled, what then?
Search for Privileged in the Azure portal.
Once there, You can see Tasks and Manage on the left.
Let’s explain the different options.
| Task + Manage | Description |
|---|---|
| My roles | Displays a list of eligible and active roles assigned to you. This is where you can activate any assigned eligible roles. |
| Pending requests | Displays your pending requests to activate eligible role assignments. |
| Approve requests | Displays a list of requests to activate eligible roles by users in your directory that you are designated to approve. |
| Review access | Lists active access reviews you are assigned to complete, whether you’re reviewing access for yourself or someone else. |
| Azure AD roles | Displays a dashboard and settings for Privileged role administrators to manage Azure AD role assignments. This dashboard is disabled for anyone who isn’t a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization. |
| Azure resources | Displays a dashboard and settings for Privileged role administrators to manage Azure resource role assignments. This dashboard is disabled for anyone who isn’t a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization. |
For my Admin account I can see the roles and they are active. So it means I don’t have to enable them.
But for a user who doesn’t have these Active they will see them as Eligible.
What happens when a user activates their role?
Note that the user has Administrative Unit enabled, which we did enable in the part section of this series.
When the User wanting to active the Eligible role select “Activate” they will be presented with the following. But wait, what is the Additional verification required?
This is what happens.
And we are back in business. Now You have to give a reason why You want this role and You can also give a Custom activation time and a duration for the role to be active.
Let’s choose one hour and give a reason.
And it will start activating the role.
Now You have to role but wait nobody had to accept the role elevation?
Making changes to the roles.
Open Manage and Roles, then find the role you had in previous steps.
In here you can see the user as Eligible.
And Actived.
Changing the settings
Choose Role setting and Edit.
In here You can see the same settings offered to the user requesting elevation of rights. And because there is no requirement for Approval, it didn’t show up for the user.
Modifying another role
Let’s search for Application Developer role and go to Role settings.
In here I can modify the settings fir the Maximum activation time and Approval.
And in the next pane, when to revoke the access. I’m not enabling MFA, it will come in later sections.
And You can choose notification to be sent.
Then You have to add an assignment for a user.
You will add the user but You could also Groups containing users. Remember the Dynamic groups we configured in the last section?
Here is Microsoft’s explanation how to use groups to enable roles.
But for now I will continue with particular user as it doesn’t make any difference in the end.
Choose is the assignment Eligible or Active and how long the role can be elevated.
And now we can see the user with the assignment.
How it differs for the user?
User login to their portal. And voila, there is a new role available.
When user select Active, they will be presented with the following. Note that the duration has been set to the 0,5h we defined earlier (now showing fully but it’s there)
Now go as admin to Tasks -> Approve requests -> Azure AD roles and You will find the request here.
Choose request and Approve.
Give justification why You Approved the request. These will be logged to Audit logs.
The Audit logs have the info You entered when accepting.
So, that was PIM, remember couple of things.
Things to remember
Global admins need MFA to be enabled to access PIM.
There is two different types for roles, Eligible and Active. Active is is given automatically and Eligible is requested when needed.
To use Privileged Identity Management, you must have one of the following licenses:
- Azure AD Premium P2
- Enterprise Mobility + Security (EMS) E5
Wow, that was a lot of PIM. Then to the next one.
RSS - Posts