This blog is the last in a small series on Azure AD Premium P2’s Identity Governance toolkit.
PIM is an Azure AD P2 feature that enables just-in-time (JIT) admin rights in Azure and Azure AD. Historically, best practice has been for users to have a separate account for admin tasks, as protection against the primary account if breached. While this is still supported under PIM, it’s less of a requirement – PIM makes admin rights time bound on the same account and optionally require approval to activate.
Users are added as members to administrative roles then assigned to eligible or active role assignment categories.
- Eligible users need to take an extra step to activate the elevated role and get its rights. This might be requesting approval from someone, MFA usage, or potentially both.
- Active users will not have to perform anything like this; they just always have the permissions, as if traditionally assigned them.
You can time fence things with an expiration period for both of these. The user stops being entitled to the administrative role when the expiration hits. As an example of usage, consider a temporary employee or contractor who needs unfettered Global Administrator rights to get the job done. When the employee is no longer active in your tenant your security position is improved even without deleting the account as it no longer has the elevate rights – they’ve expired – and your attack surface is reduced.
JIT applies to eligible users. With JIT, during BAU and doing normal work such as email, the account is just as powerful as a standard user (i.e. it isn’t powerful). The user can, however, visit the Azure AD Privileged Identity Management web interface and activate roles they have been scoped for.
Seen above, the expiration period is the end time and a user can begin Global Administrator activation any time until then.
To activate, additional verification may be required, configured at time of set up by a PIM Administrator. For example, clicking Activate sends an MFA prompt to the device, because it has been configured that all Global Administrators require this to activate. The PIM administrator can also control how long the user request activation to last to a limit of 24 hours. If not required immediately, the elevating user can also choose a custom start time, at which points the new rights kick in. Reasons can also be mandated.
If the role is configured for approval, an approver is emailed about the request.
When they click Approve or deny request, they’re taken to the PIM web console to choose.
Whoever requested elevation is then sent an email to let them know it’s been approved, at which point they now can process actions that are limited to that role, until they expire.
Pingback: Exploring Microsoft 365's NOBELIUM Defence Capabilities - campbell.scot | @rucam365