Azure AD Privileged Identity Management (PIM)

Introduction

• Purpose: Avoid permanent role assignments to users or groups, use roles just-in-time.
• Encouragement to like, subscribe, comment, and share if helpful.

Azure AD Tenant Overview

• Users:
  • Cloud users, synchronized users (via Azure AD Connect, Cloud Sync), guest users (B2B).
  • Authenticated through various means (Microsoft account, Gmail, one-time passcode, SAML, Facebook).
• Groups:
  • Created in Azure AD or synchronized.
  • Special cloud groups can be created as assignable to roles.
• Role and Services:
  • Roles define sets of permissions.
  • Roles can be assigned to users or special cloud groups.
  • Various services trust Azure AD for authentication (Microsoft 365, Azure, third-party services).

Managing Roles in Azure AD

• Role Types:
  • Azure AD roles (e.g., Dynamics 365, Exchange Admin, Intune Admin).
  • Azure roles (rich set of role-based access controls).
• Assignments:
  • Traditionally to users, special cloud groups (assignable to roles).
  • Administrative units allow scoped role delegation.

Structure and Hierarchy

• Azure Hierarchy:
  • Root management group, management groups, subscriptions, resource groups, resources.
  • Roles can be assigned at any level.
• Role Assignments:
  • Assigned to users or groups, inherited down the hierarchy.

Challenges with Permanent Role Assignments

• Permanent assignments lead to security risks and potential accidental misuse.
• Experience issues with constant MFA prompts.
• Aim for just-in-time role assignments (JIT).
• Roles are elevated for a limited time period, enhancing security and reducing risk.

Azure AD Privileged Identity Management (PIM) Features

• Requires Azure AD Premium P2 licensing.
• Audit and Notifications:
  • Track elevations, send notifications, integrate with access reviews.
• Role Assignments with PIM:
  • Roles can be made eligible or active.
  • Eligible roles require elevation, active roles are always available.
  • Time-bomb assignments for temporary access.

Demonstration of PIM

• Role Settings:
  • Configure maximum duration, MFA requirements, justifications, approvals, notifications.
• User Experience:
  • Eligible users activate roles for specified time periods.
  • Requires MFA for activation.
  • Deactivation possible when roles are no longer needed.

Privileged Access Groups

• Assign roles to groups, users elevate to group membership.
• Simplifies managing multiple roles across Azure AD and Azure.

Conclusion

• PIM is a powerful tool for managing just-in-time access.
• Offers full auditing, notification, and access review capabilities.
• Can be managed through portal or PowerShell.
• Encourages best practices in role assignments and access management.