Not much left, next section to my SC-300 study guide will cover the following:
- define a privileged access strategy for administrative users (resources, roles, approvals,
- thresholds)
- configure Privileged Identity Management for Azure AD roles
- configure Privileged Identity Management for Azure resources
- assign roles
- manage PIM requests
- analyze PIM audit history and reports
- create and manage break-glass accounts
Table of Contents
First we have to see what PIM is?
Privileged Identity Management (PIM) provides a time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to important resources. These resources include resources in Azure Active Directory (Azure AD), Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.
PIM enables you to allow a specific set of actions at a particular scope. Key features include:
- Provide just-in-time privileged access to resources
- Assign eligibility for membership or ownership of privileged access groups
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multifactor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
How to enable PIM
There are two types of assignment – eligible and active. If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks.
You can also set a start and end time for each type of assignment. This addition gives you four possible types of assignments:
- Permanent eligible
- Permanent active
- Time-bound eligible, with specified start and end dates for assignment
- Time-bound active, with specified start and end dates for assignment
In case the role expires, you can extend or renew these assignments.
To use Privileged Identity Management, you must have one of the following licenses:
- Azure AD Premium P2
- Enterprise Mobility + Security (EMS) E5
Configure Privileged Identity Management for Azure AD roles
Search for Privileged in the Azure portal.
Once there, You can see Tasks and Manage on the left.
Let’s explain the different options.
| Task + Manage | Description |
|---|---|
| My roles | Displays a list of eligible and active roles assigned to you. This is where you can activate any assigned eligible roles. |
| Pending requests | Displays your pending requests to activate eligible role assignments. |
| Approve requests | Displays a list of requests to activate eligible roles by users in your directory that you are designated to approve. |
| Review access | Lists active access reviews you are assigned to complete, whether you’re reviewing access for yourself or someone else. |
| Azure AD roles | Displays a dashboard and settings for Privileged role administrators to manage Azure AD role assignments. This dashboard is disabled for anyone who isn’t a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization. |
| Azure resources | Displays a dashboard and settings for Privileged role administrators to manage Azure resource role assignments. This dashboard is disabled for anyone who isn’t a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization. |
For my Admin account I can see the roles and they are active. So it means I don’t have to enable them.
But for a user who doesn’t have these Active they will see them as Eligible.
What happens when a user activates their role?
Note that the user has Administrative Unit enabled, which we did enable in the part section of this series.
When the User wanting to active the Eligible role select “Activate” they will be presented with the following. But wait, what is the Additional verification required?
This is what happens.
And we are back in business. Now You have to give a reason why You want this role and You can also give a Custom activation time and a duration for the role to be active.
Let’s choose one hour and give a reason.
And it will start activating the role.
Now You have to role but wait nobody had to accept the role elevation?
Making changes to the roles
Open Manage and Roles, then find the role you had in previous steps.
In here you can see the user as Eligible.
And Activated.
Changing the settings
Choose Role setting and Edit.
In here You can see the same settings offered to the user requesting elevation of rights. And because there is no requirement for Approval, it didn’t show up for the user.
Modifying another role
Let’s search for Application Developer role and go to Role settings.
In here I can modify the settings fir the Maximum activation time and Approval.
And in the next pane, when to revoke the access. I’m not enabling MFA, it will come in later sections.
And You can choose notification to be sent.
Then You have to add an assignment for a user.
You will add the user but You could also Groups containing users. Remember the Dynamic groups we configured in the last section?
Here is Microsoft’s explanation how to use groups to enable roles.
But for now I will continue with particular user as it doesn’t make any difference in the end.
Choose is the assignment Eligible or Active and how long the role can be elevated.
And now we can see the user with the assignment.
How it differs for the user?
User login to their portal. And voila, there is a new role available.
When user select Active, they will be presented with the following. Note that the duration has been set to the 0,5h we defined earlier (now showing fully but it’s there)
Now go as admin to Tasks -> Approve requests -> Azure AD roles and You will find the request here.
Choose request and Approve.
Give justification why You Approved the request. These will be logged to Audit logs.
Analyze PIM audit history and reports
The Audit logs have the info You entered when accepting.
But also for adding a user to a role.
Views
You also have two different views, for Admins and for your self
Configure Privileged Identity Management for Azure resources
First enable this setting.
When you set the toggle to Yes, you are assigned the User Access Administrator role in Azure RBAC at root scope (/). This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Azure AD directory. This toggle is only available to users who are assigned the Global Administrator role in Azure AD.
When you set the toggle to No, the User Access Administrator role in Azure RBAC is removed from your user account. You can no longer assign roles in all Azure subscriptions and management groups that are associated with this Azure AD directory. You can view and manage only the Azure subscriptions and management groups to which you have been granted access.
Subscription and root
When you go to see your subscription, you will a User Access Administrator role that is inherited.
And you an go to PIM and choose Discover resources
And you can now onboard the subscription.
Select OK
Now you can see members and roles in this subscription.
And when you open the resource, you can manage the roles and assignments
Custom roles
You can also create a custom role
You can clone, start from scratch or create form a JSON
Let’s use the User Access Administrator for cloning
We can add or exclude permissions
You can choose from all the permissions available
And add Microsoft.ManagedIdentity and permission to register Resource providers
You can attach the Custom role to a resource, by default it will be in the sub as we are creating the role to it.
You can choose between Management groups, Subs and Resource groups but if you have this in the Management group or subscription level, they will inherit the roles
You can download the role as JSON for example deploying with DevOps or just for backup reasons
Once done, it takes time to propagate
Then you can assign it
And for Eligible or active. Eligible means users have to request the role for maximum time of 1 year and active means, well it’s just active for maximum of 6 months.
and done. You can see the values under the user.
And also edit them for the role. Like in example require MFA to activation
And you can also fetch PIM role additions with from Log analytics
|
1 2 3 |
AuditLogs | where Category == "ResourceManagement" | where LoggedByService == "PIM" |
Create and manage break-glass accounts
Why to create the account?
It’s important to avoid accidentally being locked out of your Azure Active Directory (Azure AD) organization. You can mitigate the impact of accidentally losing administrative access by creating two or more emergency access accounts in your organization. Emergency access accounts are highly privileged and are not assigned to any particular individual. Emergency access accounts are limited to emergency or Break-the-glass scenarios where regular administrator accounts cannot be used. Microsoft recommends that you maintain your goal of limiting the use of your emergency account to the time you absolutely need.
Requirements
- You need a username that is complicated and difficult to guess.
- Requires a complex password.
- You need a list of approved administrators who can use your break-the-glass account. In general, these administrators should of course also have the role of global administrator.
- Monitor your break-the-glass account in Azure AD sign-in and audit logs to respond to unexpected activity.
How to create
- You must permanently assign the Global Administrator role.
- The password must be set indefinitely.
- Do not configure MFA. Must be excluded from all conditional access policies. It may not be assigned to a specific person.
- Must be a cloud-only account.
- It may not be federated.
- Do not synchronize with On-premises AD.
- Do not connect to mobile phones or hardware tokens provided by employees.
Monitoring
User your Log analytics instance for automatic monitoring
And choose Custom log search
An create a new rule with GUID from your user
and for the Alert logic the following
Then add an Action group
Choose Email / SMS accordingly and add the information needed.
Now you can also test the action group created, excellent!
So now you have the action rule inside the query
Next to enable it upon creation
And find the create alert inside Log analytics
Things to remember
PIM
Global admins need MFA to be enabled to access PIM.
There is two different types for roles, Eligible and Active. Active is is given automatically and Eligible is requested when needed.
Eligible maximum time is 1 year and Active maximum time is 6 months
To use Privileged Identity Management, you must have one of the following licenses:
- Azure AD Premium P2
- Enterprise Mobility + Security (EMS) E5
Can be added to Azure AD roles (Global admin etc.) and Azure resources with RBAC
Can assigned to a Management group (Preview) and to a subscription
Types of assignments:
- Permanent eligible
- Permanent active
- Time-bound eligible, with specified start and end dates for assignment
- Time-bound active, with specified start and end dates for assignment
Break the glass accounts
When to use them, what they should have, how to monitor (Log analytics) the usage.
You can also use UserPrincipalName for monitoring the account.
RSS - Posts