This will be the fourth and the last article from the Azure AD Identity Governance series.
And today, I would like to show you Privileged Identity Management (PIM).
The previous articles are available here:
- Privileged Identity Management Overview
- Test in LAB
Privileged Identity Management Overview
Let me tell you a story about MR. X.
MR. X is a Global Administrator (GA) in the Company XYZ.
All the time, he is using a GA account to administer Azure AD, resources, etc.
One day his account was compromised, and then bad things happened…
I think you already discovered one potential security issue with MR.X – Compromising his account means having keys to the kingdom.
Don’t be like MR.X be smart use PIM…
According to well know Microsoft documentation:
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization.https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
From my point of view, PIM is a great tool that you can use to enable Just-in-time (JIT) model for:
- Directory roles management – limit directory roles for a timeframe
- Resources roles management – limit resources roles for a timeframe
- Privilege access groups management (Preview) – limit group membership for a timeframe.
There are more key points why to use PIM like:
- Time-bound access to resources
- Approval requirement
- MFA usage
- Audit history
- Access reviews
In other words – PIM can make your environment more secure by limiting the time when highly privileged roles are active and limiting them to a specific group of users
PIM requires an Azure AD P2 license as this is a part of the Azure Identity Governance
For every type of PIM usage, the workflow looks the same, actually, from my point of view, there are two workflows:
- Configuring PIM
- Requesting roles through PIM
Before we can request roles by PIM we need to configure it.
It doesn’t matter if you want to configure Directory Roles or Resource Roles always it looks the same.
The diagram above depicted the workflow from an administering point of view:
- Global Administrator has to go to the PIM (AzureAD / Identity Governance) and for each role that should be covered by this solution, configure settings like:
- Activation time
- MFA requirement
- GA has to configure assignments – who can request this role using PIM.
When all those configurations are done, assigned users could start using the solution.
The dagram below depicts the PIM requesting roles workflow
- In this case, User1 was assigned for an Exchange Administrator role.
- User1 goes to PIM and requests a role providing the required information.
- The request was moved to the Global Admin user (as a part of the configuration, of course, there is a possibility to configure approvals not only for GA role holders) for approval.
- Global Admin user decides if he wants to accept the request or reject it.
- If the decision was to accept the request, PIM starts the assignment process for User1
- User 1 receives the requested role for a specific time (configured within the Exchange Administrator role)
- When the assignment expires User 1 will be removed from the role.
Below we are going to touch on a couple of important configuration things like roles configuration, discovery, access reviews.
PIM panel walk through
When you open PIM, you will see lots of sections under the left side menu.
There are four main sections:
- Tasks – this section refers to day to day operational use of PIM like requesting roles, approve requests, reviewing access and requests history. In the Test in LAB section, I will use this section to show how it works from the user’s perspective.
- Manage – here, we can do the PIM configuration for three main areas, which are:
- Azure AD Roles
- Azure resources
- Privileged access groups
- Activity – I think this is self-explanatory. It’s all about audit history.
- Troubleshooting + Support – another self-explanatory section.
To configure the Azure AD role with PIM we need to start from role settings.
In order to do this, open the following link (you can go there from PIM -> Azure AD roles (from Manage section)-> Roles (from Manage section) https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/ResourceMenuBlade/roles/resourceId//resourceType/tenant/provider/aadroles
Find the role that you want to configure and click on it. In my case, it will be Security Administrator.
You will be moved to the new screen where we should start from Role Settings configuration – placed under the left side menu.
On the new screen, review role settings, and click Edit on the top menu.
On the Activation tab, you will be able to configure the following settings:
Activation maximum duration – For the highest directory roles, I’m not recommending using default settings. My proposition is to use one or a maximum of 2 hours duration. If someone requires a GA role for more, most probably he’s not doing it in the right way
Require MFA on activation – yes, we need to require that to make sure that credentials were not compromised.
Require justification on activation – Yes, always require justification.
Require ticket information on activation – If you have a ticketing system you can use, it will give you two fields – 1. ticket number, 2. ticketing system link.
Require Approval to activate – for high privileges roles, it is recommended, there is no option for self-approval.
Who should be the approver? – good practice is to put there employees who are having the same role. If we are having 4 GAs, they will be able to approve it for each of them.
On the Assignment tab, we need to decide how long there will be eligible assignment using the settings described below:
Allow permanent eligible assignment – unmark that and chose six months. It will require reassigning users for eligible assignment.
Allow permanent active assignment – leave it as it is in case if you have break-glass account configured within your environment.
Require MFA – yes 🙂
Require justification – yes 🙂
The last tab to configure is Notification. Here you can review who will receive emails (spam :)) and add additional distribution groups, emails that should be included in the notifications.
When you configure everything, click the Update button.
Role settings configuration is done, so now it is time to decide who can request this role.
We are going to do this using the Assignments section from the left side menu.
Then click Add assignments on the top menu.
A new screen will open, and there click on the No member selected link to open Select a member window where you can choose which user should be able to request this role.
On the Setting tab, decide about the assignment. My recommendation is to use the Eligible option and leave duration with default settings (taken from the role settings – six months)
When done, click Assign to add the first user to the role configuration
At the end, you should see a screen similar to this.
That is all from the configuration perspective. If you want to check how the role description and permissions looks go to the Description section
Role assignments review
As always, Microsoft provides us the ability to review who is assigned to which role.
You can check it by going into the following link https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/ResourceMenuBlade/members/resourceId//resourceType/tenant/provider/aadroles
If you will by mistake or by purpose, click on the Alerts option placed under the Manage section on the left side menu, you will see recommendations for your tenant regarding PIM usage.
You should take a look here once a month to make sure that all recommendations are resolved.
Role Discovery and Insights
This is a preview feature from the PIM solution.
Discovery and insights allow to have in one place actual situation with:
- Permanent GA assignments
- High privileged roles assignment
- Service principals with privileged roles assignments
To use discovery and insights feature, you need to choose Azure AD roles from the Manage section.
In order to review assignments using Discovery and insights feature from the left side, menu click on Discovery and insights that are placed under the Manage section.
Interesting things are under Discovered assignment in TENANTNAME (in my case Internal LAB)
When you click on the Reduce global administrators, link you will see who has that role at this moment and decide who can be onboarded to PIM, removed from this role, and even create access reviews.
You can see that in my test environment, I have a couple of permanent assigned GAs. Believe me. It is not configured that way all the time just for the purpose of this article – security first!
Let’s go back to the previous screen. If you chose to click on the Eliminate standing access, you would be moved to a screen where you can review assignments to other privileged directory roles. Of course, you will be able to create access reviews by clicking one button.
And here you can see that there is a group configured for a highly privileged role (using Privileged access groups).
Role Access Reviews
If you decide to create access reviews in the section above, you will see them in the Access Reviews section placed under the Manage section.
So for the quick recap – the discovery and insights feature allows you to check if there are any permanent assignments for your accounts and service principals.
PIM for Azure Resources
As for Azure AD roles, you can use PIM to be in charge of Azure resources roles assignment.
The whole process (assignments, alerts, access reviews, Role configuration) looks the same as for the Azure AD Roles usage.
There is only one difference where you need to discover Azure resources.
Unfortunately, I did that in my lab so,I cannot provide screenshots for now – but I will figure out something in one week 🙂
Test in LAB
We have configured some settings for PIM let’s try it in a field.
I will use two accoutns:
- Adele – an employee who will request Security Administrator Role and Network Contributor role for Azure resources,
- Administrator – an employee who will decide to accept or reject requests.
Adele’s assigned roles before PIM use.
It doesn’t matter if you are configuring PIM or want to request a role. Always you should use the Azure portal https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart/defaultMenuId/quickStart
I’m logging to the portal with Adele credentials.
To request roles you should use My roles available under the Tasks section
Under the Activate section you can chose from one of three types of assignements:
- Azure AD Roles
- Privileged access groups
- Azure resources
Azure AD Roles
Review what roles are eligible and decide which to request. I will request Security Administrator role by clicking Activate on the Action column
On Activate – Security Administrator window fill the required fields and click Activate
After clicking Activate my request goes to the approver.
In the same time, approver received that email:
After clicking the link from the email message, the approver can review the requests list and decide either to approve or deny.
Right after approving the request 2 more email notifications were sent.
Cool thing isn’t it? We can receive emails who, when requested specific role and even who approved it!
When the request was approved Adele was asked to accept the MFA request and right after that, we can see that the Security Administrator role was assigned to her account.
Starting from now Adele can perform all tasks related to the Security Administrator role.
Azure resources roles
Requesting resource roles has the same workflow like for the Azure AD roles.
The only one thing is that it will be visible from the Resource Group perspective.
Images below depicted the process in a nutshell
I’m wondering if you noticed one cool thing – you can choose where resource role will be applied – resource groups, resources. It gives you awesome granularity
I’d like to thank you that you managed to read it till the end.
As always if you will have any questions feel free to comment this article or via LinkedIn.