Managing Azure AD Privileged Roles Effectively

Hey everyone. In this video, I wanted to dive into Azure AD Privileged Identity Management, PIM. And this is all about the idea that, hey, I don't want roles just assigned permanently to users or maybe groups. And instead, I want to use it only when I need it, just in time. As always, if this is useful, a like, subscribe, comment, and share is appreciated. So if we think about our organization has an Azure AD tenant. Now in that Azure AD tenant we have things like users, so these could be cloud users actually created directly in Azure AD. These could be synchronized users from Active Directory using things like Azure AD Connect, Azure AD Cloud Sync, or they may even be guest users. So these might be coming in through kind of B2B. That could be a Microsoft account, a different Azure AD tenant, Gmail, a one-time passcode, a SAML, WSFED, even Facebook account. So I have all these different accounts in my Azure AD. Now I can also have groups. And once again, these groups may actually be kind of created directly in Azure AD. They could be synchronized as well. And then we can have these users placed inside these groups. And then we have the idea that, well, great, there's that Azure AD. And then there are many types of service that trust that Azure AD and use it for the authentication. We can think about, well, there's things like the Microsoft 365 Cloud. There's things obviously like Azure. There might be... third-party cloud services out there it might be applications that I create so I actually create my own kind of app registrations and I trust my Azure AD tenant so I can really focus when I think of PIM about the idea that well there are roles in Azure AD so I can think we have these various roles in Azure AD which really just sets of various permissions now we can look at these if i jump over and we go and look at my azure active directory i can go to my roles and administrators and i can see all these different kind of roles and you'll notice they are more than just azure ad i can see ones like hey look dynamics 365 i can see ones around exchange admin there are things around intune administrators so there are other roles related to various services. And each of these roles have different sets of permissions. If I click on, for example, Help Desk Administrator, well, under the description, I can actually see the role permissions it has. And then what I can do traditionally is, well, hey, I'll assign this to someone. And if I do my add assignment just kind of super quickly and select. You'll notice what it's showing me is pretty much all users. Now you might notice there's a couple of groups, but the reality is most of my groups are actually missing. So this is because for my Azure AD roles, I can assign those roles primarily to users. Now there is a special type of cloud group so not synchronized group a special type of cloud group that has assigned membership I am manually Adding people to it's not based on a dynamic membership rule where I look at some attributes and it's actually been Configured as kind of this as assignable. So it's a special flag I actually set on it when I create it. It's called is assignable to role And that lets me also grant Azure AD roles to the group. If we actually go back again just super quickly, you'll notice there's a couple of groups here that are shown. When I create a group, I have this option of, well, hey look, can Azure AD roles be assigned to the group? Now if I set that to yes, you'll notice the membership type is grayed out. It has to be assigned and it cannot be a synchronized group. So in this case, hey, I can actually grant those roles in Azure AD to that special type of group as well. It has to be a cloud group. Remember it's created in Azure AD. It's not synced. This would be a synced kind of group. It has to be manually putting people in it, assignable, and it has to that is assignable to role. Now Azure AD primarily is a flat structure. There is no organizational units. Now, there is a concept in Azure AD called administrative units. So I can kind of create these administrative units. and then put users and put groups into it. And then I can delegate people a role. There's only a certain set of roles, so it's giving it a limited scope. So just keep that in mind. If I think of Azure AD, there's the whole Azure AD tenant. And then, hey, I can actually put users and groups into an administrative unit and then grant a role at that smaller scope. So we have that as well. And then we're going to focus on Azure as well. So once again, Azure has a very... a rich set of role based access control. Now when I think of Azure, I've kind of drawn it to the side over here. But realistically, there's a whole set of hierarchies in how I can do permissions with Azure. Azure fundamentally, there's that Azure AD tenant at the top. Then you kind of have this root management group. Then I can have a whole hierarchy of management groups. And then finally, I create a subscription. And then I create one or more resource groups into which I create resources. And again, I can create a whole set of roles, which are really a list of actions based on the resources that are defined in resource providers. So it's really a whole set of actions that are put into a role. And then I assign that to a user or group. Now, for the Azure roles. Hey, I can do it to any of those groups. I can do it to cloud groups. I can assign it to synchronized groups. It's far more flexible. So when I think about those roles, it's that kind of full gambit of all of those different combinations. And I can set it at any of these kind of levels, different management groups, subscriptions, resource group, even the resource itself. So those different places. I can actually assign it again to a user or group. And once again, we can look at one of those. So if this time I actually go and look, for example, at a resource group, it's kind of a very broad thing, and I'll just pick any one, it really doesn't matter. Look at the access control. I can look at all the different roles, which will show me pretty much all of them because a resource group can really contain anything. And if I just look at one of them, this might sound a little bit more interesting. Backup reader, sure. So if I look at permissions, I'm looking up here at the top. Hey, I can see all the different resource providers that it has different permissions from. And I can see exactly what they are. So these are all the different resource types within that resource provider. And then what are the actual actions? There's the basic read, write, delete. And then there are others. So if I select that, then I can see the other permissions that it's been given. So I have that role. And then I can assign that role. to a certain user or group at a certain scope. Obviously, it's inherited down, so the higher up I grant that role, well, it will get inherited to child management groups, to child subscriptions, child resource groups, child resources. So we have these two types of roles, Azure AD and Azure roles. Now, ordinarily, we would just grant those. To Azure AD, traditionally, it's been to a user, but now we could do this special type of cloud. is assignable to role group. Or in Azure, the preferred approach is to give it to a group, and then I add users into the group. But we tend to just give it to them. And the pain point is, well, that's then kind of this permanent assignment. So what happens is now, I'm always walking around with this high-level permission. Well, that obviously makes me kind of prone to maybe attack. If someone attacks my credential, they just, hey, have that heightened permission. For me as a user, I might do something accidentally, and if I'm signing with higher permissions, my accidental action could be far worse than if I had this very basic set of permissions. It's the same as user access control in Windows. When we sign in, no matter what permissions we have, it actually gets cracked into two different tokens. It's very basic, and then there's one with our higher permissions. We have to kind of click that. User access control. Yes, I'm giving permission to elevate up to that higher set of credentials so I can do the things when it actually needs the permission, rather than me just running with it all the time. Also, my experience wouldn't be great that if I have these higher permissions, I should be MFAing all of the time. So I'm just reading my email, I have to MFA. So I get that muscle memory of just yes, yes, yes, MFA. That's a bad thing. I want to get an MFA prompt only when I'm doing something of a higher permission or maybe some heightened risk is detected. So we want to move away from the idea that, hey, we just always have these permissions. Instead, I want to think about, I get the role. only when I need it. I want a more controlled method of giving the roles. Because another pain point is if I've been at a company a long time, hey, I do a certain job, I need these roles. Then I change role and do another job, I need these roles. Hey, I'm working on this project, I need these roles. People often forget to remove them. So I want that idea that I get the role only when I need it. And you'll hear this called just in. time, JIT. I can elevate up to get a roll for a period of time, maybe an hour, and then it goes away. And when I do this JIT, when I do that higher thing, that's when maybe, hey, as I'm elevating, I do an MFA. Maybe I have to write down a justification so I can track it in the audit of, hey, why did I do this? Maybe it requires an approval. So I can set different things for actually what I'm going to do as part of that. And it gives me that much better control of the role. Maybe I'm just giving it to someone, but it's for a time window. So this also gives me kind of this time bomb capability. It's a limited assignment for me. Now, Azure AD Provision Identity Management is an Azure AD Premium P2 feature. So I do have to have kind of the right licensing to be able to use this feature. And also around all of this stuff is things like audit. I can go and see my own elevations. The administrators can go and see those elevations. I can also have things like notifications. I can have emails fired off for various people to say, hey, this elevation, this grant has been done. And this all ties into the idea of kind of access reviews. So access reviews is another kind of P2 feature, but it lets me say, hey, periodically or one-off, let's go and check do these people still need this role or this group membership or this app access, or maybe I'll delegate that check or make it a self-check. Yes, do you still need this? Well, yes, I do. And then act on it. So let's actually look at this in a bit of detail and understand exactly what this is. Now, to manage PIM initially, I have to be a global administrator or a privileged role administrator. And when I think about using this PIM, I'm basically doing an assignment. I'm saying, hey, with PIM, I'm assigning either this Azure AD role or this Azure role, or we'll talk about groups in a second as well. And what I can do is when I'm doing that PIM, I can actually assign it in one of two ways. I can assign it making it eligible. And when I make it eligible, that's, hey, I have the right to use that role, but it's not just standing. It's not active all the time. I have to actually go and elevate up for that time window. Or I can make it active. So I'm assigning it to someone. And they don't have to do anything, it's just always active. Now that would be more common if maybe I have someone who day in, day out needs the role. Maybe it's a help desk admin. It makes no sense to make them eligible and they have to activate every time they want to do something, every hour, every two hours. But the benefit of using PIM here is it's still tracked. I could still do things like that time bombing. So hey, I'm going to give it to you, but it's for a time limited window. Think of a contractor. And they're coming in, they're working on a project for three months, and they're working in a certain resource group. Well, hey, I could make you contributor. You're active. You don't have to elevate up. But it's only going to last for three months. After that, it's going to automatically be taken away. I'm not worried about the idea of these mounting permissions over time. I have great visibility into it. And again, I can kind of pair that up with things like access reviews. So let's start with Azure Active Directory. and actually dive into what I can do around PIM. So if we jump over, and I'm going to use kind of two accounts. I'm going to use my account, and then Clark Kent is going to be the user we're going to keep assigning it to. So Clark Kent has a P2 license as well, because they're going to use the PIM functionality to actually elevate up to roles. So we'll actually start off. So I'm the administrator. I'm John. So I'm just looking at Azure AD. I have my users, groups, and things like that. Now what we'll see, if I go to my home, I can search for PIM. And there's Privileged Identity Management. Now, I could also do aad.portal.azure.com. This is an Azure AD focused portal. And then you'll see I've got my favorites. I could do all services. And I can tag the service by clicking the little star to make it show up on my favorites list. So this is all focused around Azure AD. So as administrator, I'm going to go to Azure AD Privileged Identity Management. Now straight away, it's giving me some things to get started. I can kind of see what's new, and I can see the roles I have. So I actually have things that for me, as a user of PIM, I can elevate up and become a Teams administrator. I can see what assignments I just have active for Azure AD. I can see ones I had in the past that have now expired. But if it was within kind of last 30 days, I could actually request to renew it. I can also see what my roles I have around Azure resources. So I can see all the different active assignments I have for Azure resources. I have quite a lot. And even this groups thing that's in preview. But we'll come back to that. So that's me using PIM. And I'm going to show more of that as Clark Kent. I can see requests that I have outstanding. I can see requests that require my approval. Maybe someone's requested an elevation. I have to approve it. Maybe someone's requested an extension or a kind of renewal. I can do an access review from over here. But I'm going to start off looking at management. And I'm going to start off with Azure AD roles. Now, remember, I'm in a certain Azure AD tenant. So I'm going to focus on this management part. And again, this is all... Azure AD. So firstly, I can see all the different roles I can manage. And once again, we're going to see all these built-in roles, but you can have custom roles in Azure AD as well. So I have this very limited role I created. So in Azure AD, I can create a custom role. It's really focused around app management today. That may change in the future, but I can manage that with PIM as well. And now what I can do... is for each of these roles, I have a number of settings. So I could pick, for example, global administrator. Now I can see current assignments that are out there, and I can add assignments. But firstly, I'm going to go to role settings. So these are the settings for this specific role. And I can get there the same way if I just went to settings. And it's just going to show me all the roles here as well. I can order it by role. And once again, I can just go to global administrator. So I'm going to do edit. And we'll see we have these different options. So the first set of options are around activation. So activation is when we are eligible for the role. So we're going to make someone eligible. They're allowed to elevate up to it. So I can set, well, what's the maximum duration? So it can be up to 24 hours for the request. And they can change it to a smaller value at time of elevation. When they perform the activation, what do I require? Now, for something like global admin, I really probably do want Azure MFA. I want to make sure it's a strong authentication. If it was something lesser, maybe some kind of just reader role, maybe I don't require Azure MFA. Now, if they already have a strong authentication, When they did the login, it's not going to make them MFA again. If my token has, hey, they've done a strong authentication, I'm good. But it's based on the idea that, hey, I did a simple authentication, so I was just doing the same basic, checking my email, whatever, and now I'm elevating up because I want to use that bigger permission. At that point, it will make me do the MFA. And notice I can also say, well, I want them to enter a justification, so a reason. That's going to go in the audit. I can require a ticket information, like a ticket number. I could require an approval and then who has to approve it. And then I'm saying, well, what actually is the assignment? Now, remember, I can make it eligible. I can make it active. So what I'm saying here is allow permanent eligible assignment. Now, I've got that set to yes. If that was turned off, then I can set a maximum eligible assignment to a certain duration. So what this is saying is, remember, I'm granting this role. to Azure AD to a principal, a user, for example, and if I'm making it eligible, what this option is saying is, hey, when you grant them this via PIM, are they going to be eligible forever, i.e. allow permanent, or do you want them only to be able to be eligible for maybe a year or six months? So even though it's not active all the time, they elevate up, I still don't want it to just be there. I still want a time bomb for what duration of time they are allowed to elevate up. to that actual role. So that's what that's doing there. Likewise, do I allow a permanent active? So that's when it is just active. They don't have to elevate up. I'm going to grant them the role and it's just there. They automatically have that. So again, I might say, no, I don't want to do permanent active. You can have it for six months. I can say, if it's an active assignment, do I want to start making them do MFA? Do I want them to do a justification? on the active assignment. So when I'm doing that, why am I doing this? And then I can configure notifications. Hey, if it's assigned, if it's assigned to the person, if it's active, if it's eligible, when they activate the role, I can have all these different configurations around sending notifications. So this is the settings of the role itself. And I have this for every single one of the various roles. So some of them you might want more notifications than others. Some of them you might want approval. Some of them you might want MFA. I can go through that. Once I've configured it, well, then I can do assignments. So here I can see assignments that I've done already. Notice Clark Kent has quite a lot of them, but I can add an assignment. So if I do an add assignment, notice here, first thing I do is, well, which... role am I assigning? Now let's pick authentication policy administrator. And notice when I'm selecting who am I going to give this to, it's only showing me users and those special cloud groups. I have a whole bunch of groups they're not showing. I'm only seeing groups that are cloud groups that have that is assignable to role. So I could assign it to a user, I could assign it to a group. Let's just pick a user. Now notice the scope type. is set to directory. It's not showing me my administrative units. That's because this role is not supported by administrative units. If I change this to something like global administrator that is supported by administrative units, then it's going to give me a scope option. Now I can change it to administrative unit and I can set, hey, I want to grant this at this particular level rather than... the entire Azure AD tenant. And then I get to pick, well, how am I assigning this? Am I making them eligible? I remember they have to elevate up and I can set, well, what is the time window? Even though it is allowed to be permanently eligible, I don't have to deploy it that way. I can actually say, no, you're in this role for three months. I want you to be eligible to activate up for three months. then it's going away automatically. So I don't have to remember, oh, the contract ended. So even though it's eligible, I still don't want it to be forever. Or I can just make it an active. So it's just going to be active straight away. Once again, I could set a time window. And because I set that option that I have to enter a justification, I have to, as the administrator assigning it, say, well, why are you giving this? So I would say, okay, well, I'm permanently assigning it for... And I can make again make it a smaller window if I wanted to. We'll do that window time to change Stuff and I would click assign. I'm not going to do that, but that's how I would actually go through and do an assignment It also has this discovery and insights. This is kind of nice because what it's actually going to do is show me some things around kind of best practices. Like I have three permanent global administrators. They want it to be, I think, two and five. And normally we have two kind of break glass global administrators. So those don't require PIM because something goes wrong. I still want to be able to manage my Azure AD in a disaster. So documentation actually walks through creating break glass. I don't normally use them. these special kind of accounts. They're deals about highly assigned roles, if I have service principles with privileged role assignments. So just giving me some insight into my environment and things I might actually want to go and think about focusing on. So I've now kind of set this up. Remember, I could have done it that administrative unit level. If I actually went to an administrative unit, just to kind of show the complete experience, and I selected one. You'll notice in here, if I do roles with administrators, these are the roles that are applicable to administrative units. Well, it's only when I pick one of these, for example, let's kind of pick one. Notice when I have the role settings, it's kind of the same as the PIM. I have that set of options and that's how I can do the assignment. Administrative units, I need an Azure AD Premium license and actually... be able to use that. So now let's see what the end user experience is. So now I'm good old Clark Kent and I can go to my Azure AD Provision Identity Management. Now I can look at my current roles and I can see my kind of active assignments. So right now I'm kind of an Intune admin and I'm an authentication administrator on the testing administrative unit. But I can see... Hey look, I have these other roles available to me. I can also see if I had expired assignments, I'd be able to go and kind of request to have that renewed. But I can see, hey look, I've got Global Administrator, looks nice. So I can say I want to activate this role. So under Actions on the far right, I can say Activate. So I'm going to click Activate. And now I can say, do I want to start it at some time maybe in the future? And what is the duration? Now, notice straight away, I did not sign in with MFA. So it's saying, hey, look, before you can go any further, I want a strong authentication because that's what I selected on the configuration. So I'll say, okay, additional verification required. And it's saying, okay, I'm going to do an MFA. So it sent me a sign-in request. I am now looking at my phone, and it's kind of saying, hey, do you want to approve? I think you can see that very well. But it's asking me to approve it, so I'll... I'll hit approve, smiling at it, and it's now approved. So I now have a strong authentication as clock. So at this point, now it's going to give me these options. So maybe I don't need it now, I need it at a future time. So I could say, actually, I'm doing these actions at this time, I'm going to do it in advance, or I'll do it now. And I set the maximum to three, but notice I can do it for a smaller window. And I have to do a reason. Okay, so I'm saying showing things for demo. And I click activate. So what it's now going to do is going through, it's processing the request. It's activating the role. And then what it will actually do is a refresh of the browser. So I don't have to log out and log in again, which we actually used to have to do, which is kind of a pain in the neck. It does some nice checks. It's a much better experience than we had even kind of six months ago. So it's going through and it's giving me that role. So I now have these superpowers to be a global administrator. Okay, so that's done. And now if I actually go and look at my active assignments, now you can see I'm a global admin. So now I would go and do global admin-y things. I have those permissions. When I'm done, notice if I finish early, I don't have to just leave those permissions. I can actually come into here. Look at my active and deactivate. I just hit deactivate at the bottom. And now it's removing. So it's doing the opposite now. And it's saying, hey, deactivate, role was successful. And if I hit refresh, it's taking it away from me. It's eligible. I could activate it again. But now it's actually been taken away. It's gone. And back as my user, I can actually go and look at my audit history. And then I can see the full track say, hey, okay, all the different things that have been performed for me. Hey look, 9.10, oh 9.09, ad member to role activation. Oh, ad member showing things for demo. I can see the reason. So I have this kind of full audit trail for me as the user to see what I'm doing. As an administrator, if I go to my Azure AD PIM, and I just go to kind of my Azure AD roles, and look at kind of resource audit. I can see the same information. Okay, so there was a Clark Kent over here. They elevated because they were showing things for demo. So I have that full tracking of exactly what's being done. So great, that's my Azure AD. And notice we had that both at the overall tenant, and I could do it for the administrative units as well. I can have a defined scope. Then we have the Azure roles. Now remember, Azure roles, these are all users. I can assign it to groups. We have all these different levels to how we're actually going to manage it. So one of the things we actually have to do with Azure is find the resources first. So the first step for Azure is discover stuff. Do I discover things below subscriptions? Do I want to go and discover the management groups? And then we have to pick, what scope do I want to assign the role actually at? By default, we'll just see subscriptions. But I may want to do it at a lower level than that. So if we jump over, and now, I'm just going to go back over to my PIM area. And if we go all the way back to the beginning, now we have kind of Azure resources. So I'm going to pick Azure resources. And notice it's got this option to discover resources. So if I hit that, I'm going to say, what do I want to discover? Now, I've already discovered all of my subscriptions. But notice, this is super important, resource type. I can change this to say, hey, I want to discover management groups as well. Now, I've done that as well, which is why if I do resource state unmanaged, it's not showing anything. If I do all, then it will actually go and find my management groups. So you have to go and discover them, and then you'd say select them and say manage resource. Now I can still do direct assignments at the management group, the subscription, the resource group level. It's simply bringing it to the attention of PIM so PIM can start doing things as well. So don't be scared by the fact that it's saying, hey, bring this under PIM management. I can still manage it using the direct identity and access management as well. So now I'm ready to actually grant a role. Now by default. I would select a subscription. I want to give this role a subscription level, but maybe I don't. Maybe I want to give a role at a resource group level. So all I do is I change the resource type here to the type of resource I want to grant it to. Maybe I want to grant it to management groups. Maybe I want to grant it to resource groups. Maybe I want to show a whole bunch of different things, maybe even resources. So I would select, well, what is the object? The scope, I actually want to do this role assignment to. So maybe, for example, I'll assign it to the resource group Canada. So I select the scope that I want to assign the role at. Don't select the subscription if I want to do it to a resource group. So I'm going to select resource group Canada. So I am now managing PIM at that level. I am now focused on this particular resource group. So any settings I do, any assignments I do, are now... for that resource group. I brought that scope into my focus within PIM. So now it's going to look really exactly the same. Once again, I can see what are all of the different roles. And I'll see a lot of them, all of the different Azure roles. And once again, if I have custom roles, they're going to show as well. So over here, for example, I have my custom VM read and run command role. That's there. And once again, for all of these things, I have settings. I can kind of edit, hey, what's the activation time, justifications, am I allowing permanent eligible, am I allowing permanent active, what are the time durations? This is exactly the same screen as we saw before. And then all I'm essentially doing at this point is I can add an assignment exactly the same way we saw before. Hey, I'm giving this role In this case, it's the virtual machine contributor at this scope, so it's this resource group, to this target. So again, I can select a member or kind of group at this point. Now, it's all the groups it's showing because for Azure resources, these can be synced groups. They can be dynamic. It does not care. It's far more flexible. So I would select a user and kind of click Add Assignment. And that's really it. Now, if I actually jump up a level and this time actually go and look at my dev subscription, for example, and look at assignments. Well, once again, we can see good old Clark Kent has a direct assignment over here. So if I actually go and look at my roles again. So this is for the subscription scope. If I go and look, for example, at my contributor, I can see Clark Kent has that right to be eligible for that. And that was how that extend option, if it was within kind of 14 days of expiring, I could extend it and make it for a longer period of time. Okay, so let's try that. So once again, I am Clark Kent and I want to use this. Now, before I do anything else, if I was just to look at the subscription and I go to access control, I can view what is my access, view my access. And right now I have network contributor and reader. They are my assignments. So I'm going to jump over to PIM. I'm going to go to Azure resources. And again, remember, I pick the scope. So I know I've been given a role at subscription level. I would pick the subscription. If I knew I'd been given a role at a resource group, I would change the resource type. I would pick the resource group and elevate to that. So I'm going to pick my subscription. I can kind of see my roles and there's contributor. So I'm going to say activate it. Once again, I could do a future time. Notice it's not prompting me to MFA or anything like that. I already have a strong authentication. This can be up to eight hours. I'm just going to say one and a half, a reason. Deleting Bruce Wayne's storage account. And activate. Clark Kent would never be that immature, but absolutely could kind of go and do those things. And now once again, it's going through, it's validating that the activation actually worked. I have that new token, I have those capabilities, and then it will refresh my browser so I can go and do those new things. So this was actually sort of going through, I'm going to kind of let that finish. So now I've, as the user, gone in and I'm elevating up. for whatever that target is. So in this case it's the subscription. I'm going to have that contributor role for that period of time. And then after that it automatically will get removed from me. So I think that's, let's go and see. So it's still validating, it's taking its time for some reason. But essentially that would kind of go through and ordinarily be successful. Obviously because I'm demoing it, it's going to do something strange. I think if I close that it probably will do something bad. Let's refresh that. I don't know if that actually worked. So we can always check if it worked, remember? So firstly, I can see, is it an active assignment? And it's not. So I actually don't think that worked for some reason. Let's try and do that one more time. Test. Maybe because I have a saint mean about Bruce Wayne. Bruce Wayne put in some custom code to stop that actually happening. So it's already exist. So it was kind of working behind the scenes. If I refresh now... So it didn't refresh the browser though, because I kind of killed that window. So let's see... Nope, it's still doing something strange. Okay, so now it's actually showing, as I've got my contributor over here. Notice I could deactivate. I could also see any kind of pending requests that I had outstanding. But at this... point i have that role remember i could also just go to kind of at any of the levels so i jump out of this for a second if i just went to my pym went to azure resources over here but there's also kind of my roles up here if i go to my roles i could see all of my azure resources both at subscription and resource group levels and i could just activate directly from there i don't actually have to go to the sub or the resource group from that main kind of level i can just say hey i'm in pim what are my roles i want to look at my azure resource roles and i can activate it from here but that is now activated I have kind of that subscription level and I can confirm that because if I go back to the subscription and I go back to that kind of identity management and say what is my access. So I have clearly angered the demo gods by doing that cancel and it's actually put it in a bad state. I don't think it's actually going through properly so we'll actually try one more thing. Normally that would show that's never happened before but obviously because I'm trying to demo it that's gonna break. If we go back to my roles and look at the Azure resources, notice I do also have this kind of contributor for management central US. If we activate that one, once again, it's now validating the request. I could do it for a time. We'll say test, activate. So now it's activating at that management group level, that central US. It said it succeeded. It's now doing that validation, the activation. is successful and then hopefully I'll kind of get that confirmation. Let's say something strange is happening on the back end of Azure right now. I'm trying to demo and it's stopping all of these actually working. But it's going through, it's doing that validation and then I should get that permission. So that's kind of how it should work. And just like all of the others, I can kind of bring that back and revoke it if I need to. If I finish kind of early, I'd be able to go and see. So this one's taking a long time as well. Maybe there's something strange happening on the back end at the exact moment I'm trying to demo this thing. We saw the Azure AD ones work. Azure ones, for some reason, are doing something strange right now. But I'm going to carry on because there's one other way I might be able to show this. So the other thing we actually have, remember, is, remember I said we can assign roles to groups. This special cloud group that is assignable to role. I can assign it both Azure AD roles and Azure roles at a certain scope. So the other thing we can now actually do in PIM is group management as well, as either an owner of the group or a member of the group. The idea being that I can now kind of elevate up to be added to the group as a member, and that would actually give me all of the roles assigned to the group. And the benefit here is imagine I need three Azure AD roles and... four Azure roles. Rather than have to elevate up to each individual role, well now if I just assign all the roles to a group, I can just elevate up to be a member of the group or add someone to the group for a time bombed window, and I get that whole combination of roles in one go. So this ability to actually do the groups is a very powerful feature. So let's jump over. See if that actually worked for Bruce quickly. So let's see what my active assignments are. Okay, so that seems to imply that that actually worked. So I've got the contributor at the resource, and it's actually showing at the subscriptions. Let's just look at both of those one more time. So if I look at my subscription, and look at the access control, and view my access. Oh, it now worked. Okay, so it's just a timing issue. It's a little bit upset. It's Sunday morning. So there. there we can see it at the subscription level now obviously at the resource group level i'm going to have it anyway because it would get inherited from the subscription but what i should still see is i'll see it maybe twice let's have a look because i'll see it inherited so i'll see my role access so here we can kind of see it twice so i can see well hey yeah i've got it because it was inherited from the subscription But I also have it directly on this resource group. So there I can see that PIM actually did go and take effect. Thank goodness. And if I'm finished early, my roles, Azure resources, active, and I can go and deactivate either that resource group and or the subscription as well. So that's it working for there. So let's go back to that group idea. So I'm going to now go back to John. the administrator now again i've created when i did my new group i created it as a security group i gave it a name and i said yes azure ad roles can be assigned to the group so i have one of these and i called it to keep going down it was my um pym cloud group now so i had to manually add people into this and it actually has Some roles. It has three Azure AD roles. This is Application Administrator, this is Compliance Administrator, this is Billing Administrator. And straight away you can see from here... I have this kind of privileged access. So from this kind of privileged access here, I have the settings and it's going to look very familiar. I can have settings for be a member or an owner. If I click member, well, same thing as before. So now what people can do is I can either make them in the group, an active assignment for a time bomb window, so they'd get all of the roles for the group. Or they can elevate up to become a member for two hours or four hours when they need to do something and get all of the roles for that particular group. Okay, now I can also add Azure roles to that group. So I kind of showed those three roles that I've assigned just here. But I can also do things for Azure. So that PIM Cloud group in exactly the same way. I think I did one at the subscription level. Let's have a look. So if I look at access control and role assignments, there's that PIM cloud group. I also made it contributor for the subscription. So now this single group has all of those things. And what I actually did from there, if I actually jump back over. So firstly, I can go to PIM as the administrator if I want, and I can do privileged access groups. There's my group. And once again, I would do an assignment. So when I add an assignment, so I can see John is permanently kind of in there. Eligible is Clark and Bruce Wayne. So I just did add assignment. I would select, is it a member or owner? Typically it's going to be member. And then who I want to add to that. So I'll see my various users. I selected one. And then let's just do a different user. And then once again, eligible or active. Can they elevate up to be a member of the group, or are they always in the group for whatever this time window is going to be? So now as Clark, okay, so I'm back in kind of my roles. I'm in PIM, my roles, and I can see access groups. Now again, remember, before I do that, if I look at my active assignments for Azure AD, I kind of have these two Azure AD roles. And if I was to kind of look at the subscription, and if I was to look at my access control, it's not faded out yet, but that shouldn't be there. It's just been a bit slow today. But I don't have that role anymore. That should have been kind of taken away. I think things are just, again, it's early on Sunday. So now if I go to PIM, my roles, I can see I've got this eligible to be a member of PIM Cloud Group. I'm going to activate that. Now, right now at this moment, if I was to look at that group, so I can go to my PimCloud group, there were no members actually in the group. So we go to members, it's empty. So now it's clock. Yeah, I want to elevate up. Do lots of things to Bruce account. So it's going to activate. So now I'm being added as a member of that group. And no matter what happens, I'm not going to cancel that because obviously it's really done some strange things behind the scenes. I think what might be happening with that contributor is obviously I tried different ways. If I go and actually look, maybe I've got other assignments, which is why I still have that contributor role. But I will just let that finish. But what it's now going to do is add me into that group. So that validation was successful. And now it completed successfully. It's going to refresh in three, two, one, boom. So I now have that as an active assignment. I'm a member of the group. So now straight away, if I go to my Azure AD roles and look at my active assignments, I have three new ones because I'm a member of that group. Now, again, I have a little bit of an issue showing you the subscription because it was already there, but I would also now... be given access, I would have contributor because I'm granted it via that group membership. If I go and look at the group now, Clark is now a member of it. So I have got the Azure AD roles, I've got the Azure permissions from that group membership. And once again, if I look at the audit logs, A, I could look at the audit logs just for kind of the group. I can see all the things happening. So Clark... Hey, it was added to the group because they kind of did the various elevations around that. So that's just now. I'll add member to group. I can see the details of that actual thing. I could at a higher level, if I just go to PIM and again go to, let's say, the privileged groups, select the group here. Again, you have the resource audit. So there again, I can get the detail of, hey, do things to Bruce's account. And as the user, if I'm kind of finished early, once again, I can go into my roles, my active assignments. Okay, so that's Azure AD roles. Great. But I can go to my groups. I don't need this anymore. I'm going to deactivate. So now it will remove me from the group. So it's going to actually go through. And if I jump back over here again, or maybe I could just go over this. Actually, I've got it selected here. To the members, it's gone. And my permissions now would have been reduced again. If I go to Azure AD roles, I'm back down to my initial two. Look at my Azure resources. So I shouldn't have any active assignment. Oh, wait a minute. Let's have a look. I'll see that yeah, yeah, so the reason I'm still showing is because when I tried that second attempt I think it left one behind so that's why I was still showing as contributor So now that should have been deactivated. It's taking a second I think but I believe that will go away and then what should happen Again, I messed it up a bit because I was impatient, but oh, there you go. It's gone. So now I'm back down to just kind of having that very basic assignment. And just to prove that it does work, I guess one final time, let's go back to my roles, back to my group. I'm going to activate right now because I want you to see I do get the Azure role as well. Test 493 and activate. So I'll get the Azure AD roles back. I'll get that Azure role as a subscription back again. I really want you to just see that to prove I'm not making this stuff up. And so that's a really good way of kind of showing that whole combination of roles. So if there are multiple roles I need to do my job, be it multiple Azure AD roles or multiple Azure roles, rather than me having to elevate up for five different things, if I give it to the group, and then I can just elevate up to become a member of the group. I kind of get that whole package of them. So let's assume that worked. So my active assignment is I'm a member. So now if I go back to my subscription and I'm kind of crossing my fingers and toes, it's not, I think it's just a delay. I think it is working. It's just, it's not instant. I think there's a few oddities happening, honestly. role assignments i mean there's the pym cloud group i definitely am a member of that so i definitely have the permissions i could go and do various things i think it's just lagging a little bit honestly um i think that's all that is i don't quite know why it's lagging quite this much today but you kind of saw i did get that permission and back again um the final thing though is when i do have these roles if i go back to pym for a second I'm not going to touch it, I'm going to give it a minute or something. But on my roles, notice I kind of have the active. If I had an assignment that had expired within kind of 30 days, it would show here. I could actually click here to renew it and it will then send a request to the administrators. They could approve it and I would get the role again. If I have kind of these eligible assignments and it's expiring in 14 days, I'll get an option to extend. So at that point, I'll actually be able to go and extend it. And again, the administrator could approve it and I'll get it for another period of time. So let's refresh that again. So that's currently there. It's then running. I'll go one more time. Look at my subscription, access control. And there it is. Okay, so it's just a timing thing. But there it is. I have that and it's because I'm in that PIM cloud group. So thank goodness that eventually worked. And again, as a good practice, if I finish doing the various roles, don't just leave it there because it's good for eight hours. If I'm finished doing a task, I would come in and say, hey, I've done that job. I'm going to deactivate it and I'm just kind of done. And with all of those things, don't forget there's a full audit trail of really everything going on within there. So I see my audit history. But I can also, for all of these different things, let's say those privileged access groups, I can select the group. I could see the auditing around those various things. So I can see elevations up. I can see it removed. I can see how test 493 was performed. So I can see everything actually happening there. So there's that full audit trail I can leverage. Now, I showed all of this through the portal. I can absolutely do PowerShell, for example. There's a whole bunch of Azure ADMS privileged role assignments commandlets to manage this thing and to manage the various elevations. So I can do all of it through there as well. But this is it. I mean, that's the whole point of this solution. It's about just in time, but also making sure I don't just get these massive collection of roles build up. Excuse me. It actually lets me time bomb them. Let me get them just in time. Full auditing, notifications. I would be getting emails popping up when I'm doing those privileged things. I could add an approval if I wanted it. All those MFA type capabilities. Don't forget about access reviews to actually be able to go in and check, well, hey, do they still need this? And they all kind of work together. But that's PIM. I hope that was useful. Until next time. Take care. Subtitles by the Amara.org community

And instead, I want to use it only when I need it, just in time. As always, if this is useful, a like, subscribe, comment, and share is appreciated. So if we think about our organization has an Azure AD tenant. Now in that Azure AD tenant we have things like users, so these could be cloud users actually created directly in Azure AD. These could be synchronized users from Active Directory using things like Azure AD Connect, Azure AD Cloud Sync, or they may even be guest users.

So these might be coming in through kind of B2B. That could be a Microsoft account, a different Azure AD tenant, Gmail, a one-time passcode, a SAML, WSFED, even Facebook account. So I have all these different accounts in my Azure AD.

Now I can also have groups. And once again, these groups may actually be kind of created directly in Azure AD. They could be synchronized as well.

And then we can have these users placed inside these groups. And then we have the idea that, well, great, there's that Azure AD. And then there are many types of service that trust that Azure AD and use it for the authentication.

We can think about, well, there's things like the Microsoft 365 Cloud. There's things obviously like Azure. There might be... third-party cloud services out there it might be applications that I create so I actually create my own kind of app registrations and I trust my Azure AD tenant so I can really focus when I think of PIM about the idea that well there are roles in Azure AD so I can think we have these various roles in Azure AD which really just sets of various permissions now we can look at these if i jump over and we go and look at my azure active directory i can go to my roles and administrators and i can see all these different kind of roles and you'll notice they are more than just azure ad i can see ones like hey look dynamics 365 i can see ones around exchange admin there are things around intune administrators so there are other roles related to various services. And each of these roles have different sets of permissions.

If I click on, for example, Help Desk Administrator, well, under the description, I can actually see the role permissions it has. And then what I can do traditionally is, well, hey, I'll assign this to someone. And if I do my add assignment just kind of super quickly and select.

You'll notice what it's showing me is pretty much all users. Now you might notice there's a couple of groups, but the reality is most of my groups are actually missing. So this is because for my Azure AD roles, I can assign those roles primarily to users. Now there is a special type of cloud group so not synchronized group a special type of cloud group that has assigned membership I am manually Adding people to it's not based on a dynamic membership rule where I look at some attributes and it's actually been Configured as kind of this as assignable.

So it's a special flag I actually set on it when I create it. It's called is assignable to role And that lets me also grant Azure AD roles to the group. If we actually go back again just super quickly, you'll notice there's a couple of groups here that are shown. When I create a group, I have this option of, well, hey look, can Azure AD roles be assigned to the group? Now if I set that to yes, you'll notice the membership type is grayed out.

It has to be assigned and it cannot be a synchronized group. So in this case, hey, I can actually grant those roles in Azure AD to that special type of group as well. It has to be a cloud group. Remember it's created in Azure AD.

It's not synced. This would be a synced kind of group. It has to be manually putting people in it, assignable, and it has to that is assignable to role.

Now Azure AD primarily is a flat structure. There is no organizational units. Now, there is a concept in Azure AD called administrative units. So I can kind of create these administrative units.

and then put users and put groups into it. And then I can delegate people a role. There's only a certain set of roles, so it's giving it a limited scope.

So just keep that in mind. If I think of Azure AD, there's the whole Azure AD tenant. And then, hey, I can actually put users and groups into an administrative unit and then grant a role at that smaller scope. So we have that as well.

And then we're going to focus on Azure as well. So once again, Azure has a very... a rich set of role based access control.

Now when I think of Azure, I've kind of drawn it to the side over here. But realistically, there's a whole set of hierarchies in how I can do permissions with Azure. Azure fundamentally, there's that Azure AD tenant at the top. Then you kind of have this root management group.

Then I can have a whole hierarchy of management groups. And then finally, I create a subscription. And then I create one or more resource groups into which I create resources.

And again, I can create a whole set of roles, which are really a list of actions based on the resources that are defined in resource providers. So it's really a whole set of actions that are put into a role. And then I assign that to a user or group.

Now, for the Azure roles. Hey, I can do it to any of those groups. I can do it to cloud groups.

I can assign it to synchronized groups. It's far more flexible. So when I think about those roles, it's that kind of full gambit of all of those different combinations. And I can set it at any of these kind of levels, different management groups, subscriptions, resource group, even the resource itself. So those different places.

I can actually assign it again to a user or group. And once again, we can look at one of those. So if this time I actually go and look, for example, at a resource group, it's kind of a very broad thing, and I'll just pick any one, it really doesn't matter.

Look at the access control. I can look at all the different roles, which will show me pretty much all of them because a resource group can really contain anything. And if I just look at one of them, this might sound a little bit more interesting. Backup reader, sure.

So if I look at permissions, I'm looking up here at the top. Hey, I can see all the different resource providers that it has different permissions from. And I can see exactly what they are.

So these are all the different resource types within that resource provider. And then what are the actual actions? There's the basic read, write, delete. And then there are others. So if I select that, then I can see the other permissions that it's been given.

So I have that role. And then I can assign that role. to a certain user or group at a certain scope. Obviously, it's inherited down, so the higher up I grant that role, well, it will get inherited to child management groups, to child subscriptions, child resource groups, child resources. So we have these two types of roles, Azure AD and Azure roles.

Now, ordinarily, we would just grant those. To Azure AD, traditionally, it's been to a user, but now we could do this special type of cloud. is assignable to role group.

Or in Azure, the preferred approach is to give it to a group, and then I add users into the group. But we tend to just give it to them. And the pain point is, well, that's then kind of this permanent assignment.

So what happens is now, I'm always walking around with this high-level permission. Well, that obviously makes me kind of prone to maybe attack. If someone attacks my credential, they just, hey, have that heightened permission.

For me as a user, I might do something accidentally, and if I'm signing with higher permissions, my accidental action could be far worse than if I had this very basic set of permissions. It's the same as user access control in Windows. When we sign in, no matter what permissions we have, it actually gets cracked into two different tokens.

It's very basic, and then there's one with our higher permissions. We have to kind of click that. User access control.

Yes, I'm giving permission to elevate up to that higher set of credentials so I can do the things when it actually needs the permission, rather than me just running with it all the time. Also, my experience wouldn't be great that if I have these higher permissions, I should be MFAing all of the time. So I'm just reading my email, I have to MFA. So I get that muscle memory of just yes, yes, yes, MFA.

That's a bad thing. I want to get an MFA prompt only when I'm doing something of a higher permission or maybe some heightened risk is detected. So we want to move away from the idea that, hey, we just always have these permissions. Instead, I want to think about, I get the role. only when I need it.

I want a more controlled method of giving the roles. Because another pain point is if I've been at a company a long time, hey, I do a certain job, I need these roles. Then I change role and do another job, I need these roles. Hey, I'm working on this project, I need these roles.

People often forget to remove them. So I want that idea that I get the role only when I need it. And you'll hear this called just in. time, JIT.

I can elevate up to get a roll for a period of time, maybe an hour, and then it goes away. And when I do this JIT, when I do that higher thing, that's when maybe, hey, as I'm elevating, I do an MFA. Maybe I have to write down a justification so I can track it in the audit of, hey, why did I do this? Maybe it requires an approval. So I can set different things for actually what I'm going to do as part of that.

And it gives me that much better control of the role. Maybe I'm just giving it to someone, but it's for a time window. So this also gives me kind of this time bomb capability.

It's a limited assignment for me. Now, Azure AD Provision Identity Management is an Azure AD Premium P2 feature. So I do have to have kind of the right licensing to be able to use this feature.

And also around all of this stuff is things like audit. I can go and see my own elevations. The administrators can go and see those elevations. I can also have things like notifications. I can have emails fired off for various people to say, hey, this elevation, this grant has been done.

And this all ties into the idea of kind of access reviews. So access reviews is another kind of P2 feature, but it lets me say, hey, periodically or one-off, let's go and check do these people still need this role or this group membership or this app access, or maybe I'll delegate that check or make it a self-check. Yes, do you still need this? Well, yes, I do.

And then act on it. So let's actually look at this in a bit of detail and understand exactly what this is. Now, to manage PIM initially, I have to be a global administrator or a privileged role administrator.

And when I think about using this PIM, I'm basically doing an assignment. I'm saying, hey, with PIM, I'm assigning either this Azure AD role or this Azure role, or we'll talk about groups in a second as well. And what I can do is when I'm doing that PIM, I can actually assign it in one of two ways.

I can assign it making it eligible. And when I make it eligible, that's, hey, I have the right to use that role, but it's not just standing. It's not active all the time. I have to actually go and elevate up for that time window. Or I can make it active.

So I'm assigning it to someone. And they don't have to do anything, it's just always active. Now that would be more common if maybe I have someone who day in, day out needs the role. Maybe it's a help desk admin. It makes no sense to make them eligible and they have to activate every time they want to do something, every hour, every two hours.

But the benefit of using PIM here is it's still tracked. I could still do things like that time bombing. So hey, I'm going to give it to you, but it's for a time limited window. Think of a contractor.

And they're coming in, they're working on a project for three months, and they're working in a certain resource group. Well, hey, I could make you contributor. You're active.

You don't have to elevate up. But it's only going to last for three months. After that, it's going to automatically be taken away. I'm not worried about the idea of these mounting permissions over time.

I have great visibility into it. And again, I can kind of pair that up with things like access reviews. So let's start with Azure Active Directory.

and actually dive into what I can do around PIM. So if we jump over, and I'm going to use kind of two accounts. I'm going to use my account, and then Clark Kent is going to be the user we're going to keep assigning it to. So Clark Kent has a P2 license as well, because they're going to use the PIM functionality to actually elevate up to roles.

So we'll actually start off. So I'm the administrator. I'm John. So I'm just looking at Azure AD. I have my users, groups, and things like that.

Now what we'll see, if I go to my home, I can search for PIM. And there's Privileged Identity Management. Now, I could also do aad.portal.azure.com.

This is an Azure AD focused portal. And then you'll see I've got my favorites. I could do all services. And I can tag the service by clicking the little star to make it show up on my favorites list.

So this is all focused around Azure AD. So as administrator, I'm going to go to Azure AD Privileged Identity Management. Now straight away, it's giving me some things to get started.

I can kind of see what's new, and I can see the roles I have. So I actually have things that for me, as a user of PIM, I can elevate up and become a Teams administrator. I can see what assignments I just have active for Azure AD.

I can see ones I had in the past that have now expired. But if it was within kind of last 30 days, I could actually request to renew it. I can also see what my roles I have around Azure resources.

So I can see all the different active assignments I have for Azure resources. I have quite a lot. And even this groups thing that's in preview.

But we'll come back to that. So that's me using PIM. And I'm going to show more of that as Clark Kent. I can see requests that I have outstanding.

I can see requests that require my approval. Maybe someone's requested an elevation. I have to approve it. Maybe someone's requested an extension or a kind of renewal. I can do an access review from over here.

But I'm going to start off looking at management. And I'm going to start off with Azure AD roles. Now, remember, I'm in a certain Azure AD tenant. So I'm going to focus on this management part. And again, this is all...

Azure AD. So firstly, I can see all the different roles I can manage. And once again, we're going to see all these built-in roles, but you can have custom roles in Azure AD as well. So I have this very limited role I created. So in Azure AD, I can create a custom role.

It's really focused around app management today. That may change in the future, but I can manage that with PIM as well. And now what I can do...

is for each of these roles, I have a number of settings. So I could pick, for example, global administrator. Now I can see current assignments that are out there, and I can add assignments. But firstly, I'm going to go to role settings. So these are the settings for this specific role.

And I can get there the same way if I just went to settings. And it's just going to show me all the roles here as well. I can order it by role.

And once again, I can just go to global administrator. So I'm going to do edit. And we'll see we have these different options. So the first set of options are around activation.

So activation is when we are eligible for the role. So we're going to make someone eligible. They're allowed to elevate up to it. So I can set, well, what's the maximum duration? So it can be up to 24 hours for the request.

And they can change it to a smaller value at time of elevation. When they perform the activation, what do I require? Now, for something like global admin, I really probably do want Azure MFA. I want to make sure it's a strong authentication. If it was something lesser, maybe some kind of just reader role, maybe I don't require Azure MFA.

Now, if they already have a strong authentication, When they did the login, it's not going to make them MFA again. If my token has, hey, they've done a strong authentication, I'm good. But it's based on the idea that, hey, I did a simple authentication, so I was just doing the same basic, checking my email, whatever, and now I'm elevating up because I want to use that bigger permission.

At that point, it will make me do the MFA. And notice I can also say, well, I want them to enter a justification, so a reason. That's going to go in the audit.

I can require a ticket information, like a ticket number. I could require an approval and then who has to approve it. And then I'm saying, well, what actually is the assignment? Now, remember, I can make it eligible.

I can make it active. So what I'm saying here is allow permanent eligible assignment. Now, I've got that set to yes. If that was turned off, then I can set a maximum eligible assignment to a certain duration.

So what this is saying is, remember, I'm granting this role. to Azure AD to a principal, a user, for example, and if I'm making it eligible, what this option is saying is, hey, when you grant them this via PIM, are they going to be eligible forever, i.e. allow permanent, or do you want them only to be able to be eligible for maybe a year or six months? So even though it's not active all the time, they elevate up, I still don't want it to just be there.

I still want a time bomb for what duration of time they are allowed to elevate up. to that actual role. So that's what that's doing there.

Likewise, do I allow a permanent active? So that's when it is just active. They don't have to elevate up. I'm going to grant them the role and it's just there. They automatically have that.

So again, I might say, no, I don't want to do permanent active. You can have it for six months. I can say, if it's an active assignment, do I want to start making them do MFA? Do I want them to do a justification? on the active assignment.

So when I'm doing that, why am I doing this? And then I can configure notifications. Hey, if it's assigned, if it's assigned to the person, if it's active, if it's eligible, when they activate the role, I can have all these different configurations around sending notifications.

So this is the settings of the role itself. And I have this for every single one of the various roles. So some of them you might want more notifications than others. Some of them you might want approval.

Some of them you might want MFA. I can go through that. Once I've configured it, well, then I can do assignments.

So here I can see assignments that I've done already. Notice Clark Kent has quite a lot of them, but I can add an assignment. So if I do an add assignment, notice here, first thing I do is, well, which...

role am I assigning? Now let's pick authentication policy administrator. And notice when I'm selecting who am I going to give this to, it's only showing me users and those special cloud groups. I have a whole bunch of groups they're not showing. I'm only seeing groups that are cloud groups that have that is assignable to role.

So I could assign it to a user, I could assign it to a group. Let's just pick a user. Now notice the scope type. is set to directory. It's not showing me my administrative units.

That's because this role is not supported by administrative units. If I change this to something like global administrator that is supported by administrative units, then it's going to give me a scope option. Now I can change it to administrative unit and I can set, hey, I want to grant this at this particular level rather than... the entire Azure AD tenant. And then I get to pick, well, how am I assigning this?

Am I making them eligible? I remember they have to elevate up and I can set, well, what is the time window? Even though it is allowed to be permanently eligible, I don't have to deploy it that way. I can actually say, no, you're in this role for three months.

I want you to be eligible to activate up for three months. then it's going away automatically. So I don't have to remember, oh, the contract ended.

So even though it's eligible, I still don't want it to be forever. Or I can just make it an active. So it's just going to be active straight away.

Once again, I could set a time window. And because I set that option that I have to enter a justification, I have to, as the administrator assigning it, say, well, why are you giving this? So I would say, okay, well, I'm permanently assigning it for...

And I can make again make it a smaller window if I wanted to. We'll do that window time to change Stuff and I would click assign. I'm not going to do that, but that's how I would actually go through and do an assignment It also has this discovery and insights.

This is kind of nice because what it's actually going to do is show me some things around kind of best practices. Like I have three permanent global administrators. They want it to be, I think, two and five.

And normally we have two kind of break glass global administrators. So those don't require PIM because something goes wrong. I still want to be able to manage my Azure AD in a disaster. So documentation actually walks through creating break glass. I don't normally use them.

these special kind of accounts. They're deals about highly assigned roles, if I have service principles with privileged role assignments. So just giving me some insight into my environment and things I might actually want to go and think about focusing on.

So I've now kind of set this up. Remember, I could have done it that administrative unit level. If I actually went to an administrative unit, just to kind of show the complete experience, and I selected one. You'll notice in here, if I do roles with administrators, these are the roles that are applicable to administrative units.

Well, it's only when I pick one of these, for example, let's kind of pick one. Notice when I have the role settings, it's kind of the same as the PIM. I have that set of options and that's how I can do the assignment. Administrative units, I need an Azure AD Premium license and actually...

be able to use that. So now let's see what the end user experience is. So now I'm good old Clark Kent and I can go to my Azure AD Provision Identity Management.

Now I can look at my current roles and I can see my kind of active assignments. So right now I'm kind of an Intune admin and I'm an authentication administrator on the testing administrative unit. But I can see...

Hey look, I have these other roles available to me. I can also see if I had expired assignments, I'd be able to go and kind of request to have that renewed. But I can see, hey look, I've got Global Administrator, looks nice.

So I can say I want to activate this role. So under Actions on the far right, I can say Activate. So I'm going to click Activate. And now I can say, do I want to start it at some time maybe in the future?

And what is the duration? Now, notice straight away, I did not sign in with MFA. So it's saying, hey, look, before you can go any further, I want a strong authentication because that's what I selected on the configuration. So I'll say, okay, additional verification required. And it's saying, okay, I'm going to do an MFA.

So it sent me a sign-in request. I am now looking at my phone, and it's kind of saying, hey, do you want to approve? I think you can see that very well.

But it's asking me to approve it, so I'll... I'll hit approve, smiling at it, and it's now approved. So I now have a strong authentication as clock.

So at this point, now it's going to give me these options. So maybe I don't need it now, I need it at a future time. So I could say, actually, I'm doing these actions at this time, I'm going to do it in advance, or I'll do it now.

And I set the maximum to three, but notice I can do it for a smaller window. And I have to do a reason. Okay, so I'm saying showing things for demo.

And I click activate. So what it's now going to do is going through, it's processing the request. It's activating the role.

And then what it will actually do is a refresh of the browser. So I don't have to log out and log in again, which we actually used to have to do, which is kind of a pain in the neck. It does some nice checks.

It's a much better experience than we had even kind of six months ago. So it's going through and it's giving me that role. So I now have these superpowers to be a global administrator. Okay, so that's done. And now if I actually go and look at my active assignments, now you can see I'm a global admin.

So now I would go and do global admin-y things. I have those permissions. When I'm done, notice if I finish early, I don't have to just leave those permissions. I can actually come into here. Look at my active and deactivate.

I just hit deactivate at the bottom. And now it's removing. So it's doing the opposite now. And it's saying, hey, deactivate, role was successful. And if I hit refresh, it's taking it away from me.

It's eligible. I could activate it again. But now it's actually been taken away. It's gone.

And back as my user, I can actually go and look at my audit history. And then I can see the full track say, hey, okay, all the different things that have been performed for me. Hey look, 9.10, oh 9.09, ad member to role activation.

Oh, ad member showing things for demo. I can see the reason. So I have this kind of full audit trail for me as the user to see what I'm doing.

As an administrator, if I go to my Azure AD PIM, and I just go to kind of my Azure AD roles, and look at kind of resource audit. I can see the same information. Okay, so there was a Clark Kent over here. They elevated because they were showing things for demo. So I have that full tracking of exactly what's being done.

So great, that's my Azure AD. And notice we had that both at the overall tenant, and I could do it for the administrative units as well. I can have a defined scope.

Then we have the Azure roles. Now remember, Azure roles, these are all users. I can assign it to groups.

We have all these different levels to how we're actually going to manage it. So one of the things we actually have to do with Azure is find the resources first. So the first step for Azure is discover stuff.

Do I discover things below subscriptions? Do I want to go and discover the management groups? And then we have to pick, what scope do I want to assign the role actually at?

By default, we'll just see subscriptions. But I may want to do it at a lower level than that. So if we jump over, and now, I'm just going to go back over to my PIM area. And if we go all the way back to the beginning, now we have kind of Azure resources.

So I'm going to pick Azure resources. And notice it's got this option to discover resources. So if I hit that, I'm going to say, what do I want to discover? Now, I've already discovered all of my subscriptions.

But notice, this is super important, resource type. I can change this to say, hey, I want to discover management groups as well. Now, I've done that as well, which is why if I do resource state unmanaged, it's not showing anything.

If I do all, then it will actually go and find my management groups. So you have to go and discover them, and then you'd say select them and say manage resource. Now I can still do direct assignments at the management group, the subscription, the resource group level. It's simply bringing it to the attention of PIM so PIM can start doing things as well. So don't be scared by the fact that it's saying, hey, bring this under PIM management.

I can still manage it using the direct identity and access management as well. So now I'm ready to actually grant a role. Now by default.

I would select a subscription. I want to give this role a subscription level, but maybe I don't. Maybe I want to give a role at a resource group level. So all I do is I change the resource type here to the type of resource I want to grant it to. Maybe I want to grant it to management groups.

Maybe I want to grant it to resource groups. Maybe I want to show a whole bunch of different things, maybe even resources. So I would select, well, what is the object? The scope, I actually want to do this role assignment to.

So maybe, for example, I'll assign it to the resource group Canada. So I select the scope that I want to assign the role at. Don't select the subscription if I want to do it to a resource group. So I'm going to select resource group Canada.

So I am now managing PIM at that level. I am now focused on this particular resource group. So any settings I do, any assignments I do, are now... for that resource group.

I brought that scope into my focus within PIM. So now it's going to look really exactly the same. Once again, I can see what are all of the different roles. And I'll see a lot of them, all of the different Azure roles.

And once again, if I have custom roles, they're going to show as well. So over here, for example, I have my custom VM read and run command role. That's there. And once again, for all of these things, I have settings.

I can kind of edit, hey, what's the activation time, justifications, am I allowing permanent eligible, am I allowing permanent active, what are the time durations? This is exactly the same screen as we saw before. And then all I'm essentially doing at this point is I can add an assignment exactly the same way we saw before.

Hey, I'm giving this role In this case, it's the virtual machine contributor at this scope, so it's this resource group, to this target. So again, I can select a member or kind of group at this point. Now, it's all the groups it's showing because for Azure resources, these can be synced groups. They can be dynamic. It does not care.

It's far more flexible. So I would select a user and kind of click Add Assignment. And that's really it.

Now, if I actually jump up a level and this time actually go and look at my dev subscription, for example, and look at assignments. Well, once again, we can see good old Clark Kent has a direct assignment over here. So if I actually go and look at my roles again.

So this is for the subscription scope. If I go and look, for example, at my contributor, I can see Clark Kent has that right to be eligible for that. And that was how that extend option, if it was within kind of 14 days of expiring, I could extend it and make it for a longer period of time.

Okay, so let's try that. So once again, I am Clark Kent and I want to use this. Now, before I do anything else, if I was just to look at the subscription and I go to access control, I can view what is my access, view my access.

And right now I have network contributor and reader. They are my assignments. So I'm going to jump over to PIM. I'm going to go to Azure resources.

And again, remember, I pick the scope. So I know I've been given a role at subscription level. I would pick the subscription.

If I knew I'd been given a role at a resource group, I would change the resource type. I would pick the resource group and elevate to that. So I'm going to pick my subscription.

I can kind of see my roles and there's contributor. So I'm going to say activate it. Once again, I could do a future time.

Notice it's not prompting me to MFA or anything like that. I already have a strong authentication. This can be up to eight hours. I'm just going to say one and a half, a reason. Deleting Bruce Wayne's storage account.

And activate. Clark Kent would never be that immature, but absolutely could kind of go and do those things. And now once again, it's going through, it's validating that the activation actually worked.

I have that new token, I have those capabilities, and then it will refresh my browser so I can go and do those new things. So this was actually sort of going through, I'm going to kind of let that finish. So now I've, as the user, gone in and I'm elevating up.

for whatever that target is. So in this case it's the subscription. I'm going to have that contributor role for that period of time. And then after that it automatically will get removed from me. So I think that's, let's go and see.

So it's still validating, it's taking its time for some reason. But essentially that would kind of go through and ordinarily be successful. Obviously because I'm demoing it, it's going to do something strange. I think if I close that it probably will do something bad. Let's refresh that.

I don't know if that actually worked. So we can always check if it worked, remember? So firstly, I can see, is it an active assignment?

And it's not. So I actually don't think that worked for some reason. Let's try and do that one more time.

Test. Maybe because I have a saint mean about Bruce Wayne. Bruce Wayne put in some custom code to stop that actually happening. So it's already exist.

So it was kind of working behind the scenes. If I refresh now... So it didn't refresh the browser though, because I kind of killed that window.

So let's see... Nope, it's still doing something strange. Okay, so now it's actually showing, as I've got my contributor over here.

Notice I could deactivate. I could also see any kind of pending requests that I had outstanding. But at this... point i have that role remember i could also just go to kind of at any of the levels so i jump out of this for a second if i just went to my pym went to azure resources over here but there's also kind of my roles up here if i go to my roles i could see all of my azure resources both at subscription and resource group levels and i could just activate directly from there i don't actually have to go to the sub or the resource group from that main kind of level i can just say hey i'm in pim what are my roles i want to look at my azure resource roles and i can activate it from here but that is now activated I have kind of that subscription level and I can confirm that because if I go back to the subscription and I go back to that kind of identity management and say what is my access. So I have clearly angered the demo gods by doing that cancel and it's actually put it in a bad state.

I don't think it's actually going through properly so we'll actually try one more thing. Normally that would show that's never happened before but obviously because I'm trying to demo it that's gonna break. If we go back to my roles and look at the Azure resources, notice I do also have this kind of contributor for management central US. If we activate that one, once again, it's now validating the request. I could do it for a time.

We'll say test, activate. So now it's activating at that management group level, that central US. It said it succeeded. It's now doing that validation, the activation. is successful and then hopefully I'll kind of get that confirmation.

Let's say something strange is happening on the back end of Azure right now. I'm trying to demo and it's stopping all of these actually working. But it's going through, it's doing that validation and then I should get that permission.

So that's kind of how it should work. And just like all of the others, I can kind of bring that back and revoke it if I need to. If I finish kind of early, I'd be able to go and see. So this one's taking a long time as well. Maybe there's something strange happening on the back end at the exact moment I'm trying to demo this thing.

We saw the Azure AD ones work. Azure ones, for some reason, are doing something strange right now. But I'm going to carry on because there's one other way I might be able to show this. So the other thing we actually have, remember, is, remember I said we can assign roles to groups.

This special cloud group that is assignable to role. I can assign it both Azure AD roles and Azure roles at a certain scope. So the other thing we can now actually do in PIM is group management as well, as either an owner of the group or a member of the group.

The idea being that I can now kind of elevate up to be added to the group as a member, and that would actually give me all of the roles assigned to the group. And the benefit here is imagine I need three Azure AD roles and... four Azure roles.

Rather than have to elevate up to each individual role, well now if I just assign all the roles to a group, I can just elevate up to be a member of the group or add someone to the group for a time bombed window, and I get that whole combination of roles in one go. So this ability to actually do the groups is a very powerful feature. So let's jump over.

See if that actually worked for Bruce quickly. So let's see what my active assignments are. Okay, so that seems to imply that that actually worked. So I've got the contributor at the resource, and it's actually showing at the subscriptions.

Let's just look at both of those one more time. So if I look at my subscription, and look at the access control, and view my access. Oh, it now worked. Okay, so it's just a timing issue.

It's a little bit upset. It's Sunday morning. So there. there we can see it at the subscription level now obviously at the resource group level i'm going to have it anyway because it would get inherited from the subscription but what i should still see is i'll see it maybe twice let's have a look because i'll see it inherited so i'll see my role access so here we can kind of see it twice so i can see well hey yeah i've got it because it was inherited from the subscription But I also have it directly on this resource group.

So there I can see that PIM actually did go and take effect. Thank goodness. And if I'm finished early, my roles, Azure resources, active, and I can go and deactivate either that resource group and or the subscription as well.

So that's it working for there. So let's go back to that group idea. So I'm going to now go back to John.

the administrator now again i've created when i did my new group i created it as a security group i gave it a name and i said yes azure ad roles can be assigned to the group so i have one of these and i called it to keep going down it was my um pym cloud group now so i had to manually add people into this and it actually has Some roles. It has three Azure AD roles. This is Application Administrator, this is Compliance Administrator, this is Billing Administrator.

And straight away you can see from here... I have this kind of privileged access. So from this kind of privileged access here, I have the settings and it's going to look very familiar.

I can have settings for be a member or an owner. If I click member, well, same thing as before. So now what people can do is I can either make them in the group, an active assignment for a time bomb window, so they'd get all of the roles for the group.

Or they can elevate up to become a member for two hours or four hours when they need to do something and get all of the roles for that particular group. Okay, now I can also add Azure roles to that group. So I kind of showed those three roles that I've assigned just here. But I can also do things for Azure.

So that PIM Cloud group in exactly the same way. I think I did one at the subscription level. Let's have a look.

So if I look at access control and role assignments, there's that PIM cloud group. I also made it contributor for the subscription. So now this single group has all of those things. And what I actually did from there, if I actually jump back over.

So firstly, I can go to PIM as the administrator if I want, and I can do privileged access groups. There's my group. And once again, I would do an assignment. So when I add an assignment, so I can see John is permanently kind of in there.

Eligible is Clark and Bruce Wayne. So I just did add assignment. I would select, is it a member or owner?

Typically it's going to be member. And then who I want to add to that. So I'll see my various users. I selected one. And then let's just do a different user.

And then once again, eligible or active. Can they elevate up to be a member of the group, or are they always in the group for whatever this time window is going to be? So now as Clark, okay, so I'm back in kind of my roles. I'm in PIM, my roles, and I can see access groups.

Now again, remember, before I do that, if I look at my active assignments for Azure AD, I kind of have these two Azure AD roles. And if I was to kind of look at the subscription, and if I was to look at my access control, it's not faded out yet, but that shouldn't be there. It's just been a bit slow today. But I don't have that role anymore.

That should have been kind of taken away. I think things are just, again, it's early on Sunday. So now if I go to PIM, my roles, I can see I've got this eligible to be a member of PIM Cloud Group.

I'm going to activate that. Now, right now at this moment, if I was to look at that group, so I can go to my PimCloud group, there were no members actually in the group. So we go to members, it's empty. So now it's clock. Yeah, I want to elevate up.

Do lots of things to Bruce account. So it's going to activate. So now I'm being added as a member of that group.

And no matter what happens, I'm not going to cancel that because obviously it's really done some strange things behind the scenes. I think what might be happening with that contributor is obviously I tried different ways. If I go and actually look, maybe I've got other assignments, which is why I still have that contributor role.

But I will just let that finish. But what it's now going to do is add me into that group. So that validation was successful. And now it completed successfully. It's going to refresh in three, two, one, boom.

So I now have that as an active assignment. I'm a member of the group. So now straight away, if I go to my Azure AD roles and look at my active assignments, I have three new ones because I'm a member of that group. Now, again, I have a little bit of an issue showing you the subscription because it was already there, but I would also now...

be given access, I would have contributor because I'm granted it via that group membership. If I go and look at the group now, Clark is now a member of it. So I have got the Azure AD roles, I've got the Azure permissions from that group membership.

And once again, if I look at the audit logs, A, I could look at the audit logs just for kind of the group. I can see all the things happening. So Clark... Hey, it was added to the group because they kind of did the various elevations around that. So that's just now.

I'll add member to group. I can see the details of that actual thing. I could at a higher level, if I just go to PIM and again go to, let's say, the privileged groups, select the group here.

Again, you have the resource audit. So there again, I can get the detail of, hey, do things to Bruce's account. And as the user, if I'm kind of finished early, once again, I can go into my roles, my active assignments. Okay, so that's Azure AD roles. Great.

But I can go to my groups. I don't need this anymore. I'm going to deactivate.

So now it will remove me from the group. So it's going to actually go through. And if I jump back over here again, or maybe I could just go over this.

Actually, I've got it selected here. To the members, it's gone. And my permissions now would have been reduced again. If I go to Azure AD roles, I'm back down to my initial two.

Look at my Azure resources. So I shouldn't have any active assignment. Oh, wait a minute.

Let's have a look. I'll see that yeah, yeah, so the reason I'm still showing is because when I tried that second attempt I think it left one behind so that's why I was still showing as contributor So now that should have been deactivated. It's taking a second I think but I believe that will go away and then what should happen Again, I messed it up a bit because I was impatient, but oh, there you go. It's gone.

So now I'm back down to just kind of having that very basic assignment. And just to prove that it does work, I guess one final time, let's go back to my roles, back to my group. I'm going to activate right now because I want you to see I do get the Azure role as well.

Test 493 and activate. So I'll get the Azure AD roles back. I'll get that Azure role as a subscription back again. I really want you to just see that to prove I'm not making this stuff up. And so that's a really good way of kind of showing that whole combination of roles.

So if there are multiple roles I need to do my job, be it multiple Azure AD roles or multiple Azure roles, rather than me having to elevate up for five different things, if I give it to the group, and then I can just elevate up to become a member of the group. I kind of get that whole package of them. So let's assume that worked. So my active assignment is I'm a member. So now if I go back to my subscription and I'm kind of crossing my fingers and toes, it's not, I think it's just a delay.

I think it is working. It's just, it's not instant. I think there's a few oddities happening, honestly.

role assignments i mean there's the pym cloud group i definitely am a member of that so i definitely have the permissions i could go and do various things i think it's just lagging a little bit honestly um i think that's all that is i don't quite know why it's lagging quite this much today but you kind of saw i did get that permission and back again um the final thing though is when i do have these roles if i go back to pym for a second I'm not going to touch it, I'm going to give it a minute or something. But on my roles, notice I kind of have the active. If I had an assignment that had expired within kind of 30 days, it would show here.

I could actually click here to renew it and it will then send a request to the administrators. They could approve it and I would get the role again. If I have kind of these eligible assignments and it's expiring in 14 days, I'll get an option to extend.

So at that point, I'll actually be able to go and extend it. And again, the administrator could approve it and I'll get it for another period of time. So let's refresh that again. So that's currently there.

It's then running. I'll go one more time. Look at my subscription, access control.

And there it is. Okay, so it's just a timing thing. But there it is. I have that and it's because I'm in that PIM cloud group.

So thank goodness that eventually worked. And again, as a good practice, if I finish doing the various roles, don't just leave it there because it's good for eight hours. If I'm finished doing a task, I would come in and say, hey, I've done that job. I'm going to deactivate it and I'm just kind of done.

And with all of those things, don't forget there's a full audit trail of really everything going on within there. So I see my audit history. But I can also, for all of these different things, let's say those privileged access groups, I can select the group.

I could see the auditing around those various things. So I can see elevations up. I can see it removed.

I can see how test 493 was performed. So I can see everything actually happening there. So there's that full audit trail I can leverage. Now, I showed all of this through the portal.

I can absolutely do PowerShell, for example. There's a whole bunch of Azure ADMS privileged role assignments commandlets to manage this thing and to manage the various elevations. So I can do all of it through there as well. But this is it. I mean, that's the whole point of this solution.

It's about just in time, but also making sure I don't just get these massive collection of roles build up. Excuse me. It actually lets me time bomb them.

Let me get them just in time. Full auditing, notifications. I would be getting emails popping up when I'm doing those privileged things. I could add an approval if I wanted it.

All those MFA type capabilities. Don't forget about access reviews to actually be able to go in and check, well, hey, do they still need this? And they all kind of work together. But that's PIM.

I hope that was useful. Until next time. Take care. Subtitles by the Amara.org community

Transcript for:Managing Azure AD Privileged Roles Effectively

Transcript for:
Managing Azure AD Privileged Roles Effectively