This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.
This post will cover the following exam topics listed under the “Implement Azure AD Privileged Identity Management (PIM)” section:
- Plan for Azure PIM
- Assign eligibility and activate admin roles
- Manage Azure PIM role requests and assignments
- Monitor PIM history and alerts
Plan for Azure PIM
We have previously looked at planning and assigning Admin roles in Microsoft 365. While assigning roles allows for the principal of least privilege to be applied, we can also often end up in a situation where we have a lot of roles assigned across the organization, some of which are only needed occasionally. Privileged Identity Management in Azure AD allows granular control of Admin Roles, introducing the concept of Just in-time (JIT) access while also providing governance around how, when and how long access to admin roles is assigned.
PIM transfers our standard role assignments into “role eligibility”. This means that rather than a user being assigned an admin role, they are made eligible to request the role they need, when they need it. For example, in our previous post we took the following scenario:
“A member of the finance team manages all purchasing and payment of Microsoft 365 subscriptions and licensing. The receive requests for licensing when they are approved and normally need to screen share with an admin to procure licensing, this is a very slow process. The CFO has requested that they are given the ability to purchase without relying on the IT department.“
From this scenario, we deduced that the correct role, providing just enough access to the user was the Billing Admin role. When we look at the requirement though, the user only needs access to the billing functionality occasionally, so 90% of the time, that user has more access than they need.
We see similar situations with other roles across the organization and in some organizations who don’t leverage RBAC, we often see a proliferation of Global Admin Accounts. PIM allows us to remove all of these static role assignments while still providing the right level of access when users need it.
While it is out of scope of this exam guide, it’s good to know that PIM can also be used to manage access to Azure resources, allowing the same principals to be assigned there.
Privileged Identity Management requires an Azure AD Premium P2 license to be assigned to the eligible users
To manage Privileged Identity Management, navigate to the PIM section of the Azure Portal. We have a few options on the PIM page to choose from.
- Quick Start – A guided set of steps to get started with PIM
- Tasks – This section contains tasks relating to your access
- My Roles – This is where you would activate roles assigned to you
- My Requests – This is where you would check status of your active PIM requests
- Approve Requests – This is where you would approve requests for roles which you are an approver
- Review Access – This is where any active Access Reviews would appear
- Manage – This section relates to the management of PIM
- Azure AD Roles – This is where you would configure Azure AD / Microsoft 365 Role assignments
- Privileged Access Groups – This is where you would configure PIM Group assignments, this is a preview feature at the moment
- Azure Resources – This is where you would configure access assignments for Azure resources
- Activity – You can view activation history with full logging
- Troubleshooting + Support – General Azure support section
Assign eligibility and activate admin roles
There are two ways to assign PIM roles, we can either convert existing role assignments to eligible, or we can add them as new role assignments. If we go to “Manage” -> “Azure AD Roles”, we will be brought to the PIM management page. From here, we select “Roles” under the “Manage” section and we see a lis of all of the roles available to assign.
In the screenshot, we can see we have one user listed as “Active” under the billing administrator role. This means they have been assigned that role manually. If we open up the Billing Administrator role, we will find the user under “Active Assignments”.
If we want to convert this role to eligible, we just click on “Update” and in the “Assignment Type” dropdown, we can change it from “Active” to “Eligible”. We can also set a timeframe for the role to be eligible if we wish.
We then hit save and the permanent assignment will be removed from the user, they will now need to use PIM to activate the role.
We can do the same thing for all the roles listed as “Active” to convert all static assignments to eligible. We can also use the “Add Assignments” option at the top of the roles page to add a new assignment that wasn’t permanently assigned before. Here we are assigning the Billing Administrator role to Adele as eligible for the next week:
Before we test role activation, let’s take a look at how we configure a specific role.
Manage Azure PIM role requests and assignments
We’ve looked at how to assign roles to users through PIM but a large part of what makes PIM so secure, is the extra requirements we enforce on a role. For example, all role activations require MFA, but some roles may require approval or have a short lifespan depending on the requirements. To configure this, open up the settings option under Azure AD roles. Here we see a list of our roles:
We select our Billing Admin role that we assigned earlier and we can see all of the settings applied to that role assignment.
We can click on edit to customize these settings for our tenant. For instance, for the Billing Administrator role, let’s shorten the activation maximum duration to one hour and require approval from our admin for activation
We’ll leave the other settings as default. A full list of customizable settings is available here.
Activating a role
When a user has a role assigned, they must navigate to the PIM page to activate their role before they will have access. Once in the Azure Portal, open up Privileged Identity Management and select the “My roles” option. Here, under “Azure AD Roles” we see the newly assigned Billing Admin role.
To enable the role, click activate. Here we can see our activation requirements come into play. The first thing we see is the requirement for additional verification through MFA:
Once that’s approved, we see that our maximum activation time is one hour, as we configured before and we also need to give a justification for activation.
With the justification in place, hit Activate to start the request. Because we specified approval on our request, we see the message stating it is pending approval:
The approver will get an email to approve the request complete with the justification provided:
Clicking approve in the email will bring them to the PIM portal to the requests section where they can approve the outstanding request:
We also require our approver to provide a justification for approval:
Finally, with all the approvals done, our user will get a mail letting them know their role is active, they will also see the role under “Active Assignments” with an end time of one hour from now.
We can also verify that the user has access to the correct role in the admin portal.
Monitor PIM history and alerts
Logging and alerting for PIM is very straightforward, Now that everything is set up, we can open up the “Audit” section in PIM to view a complete logged history of our actions:
We can see the details of each step complete with our justifications etc.
These logs can also be found in the Azure AD Audit logs so they can be monitored using any existing systems such as Azure Sentinal:
Finally, to configure notifications for each role assignment, this can be done from the assignment settings page that we looked at earlier. Simply add in the recipients for each action notification:
The Alerts section in PIM allows us to monitor for certain criteria in out configuration such as roles being activated too frequently. To configure alerts, open up the Alerts section under “Manage” and click the settings cog to check which alerts are active and configure or disable any alerts you don’t want to see:
A particularly useful one is for when an administrator is not using their role, by default if a role isn’t used in 30 days, an alert is raised to let us know that the role isn’t in use. This role assignment may be no longer required and we can potentially remove it.
We will see each of these alerts show up in the Alerts page where we can open them up and action:
PIM is a fantastic tool to secure admin access in your tenancy, the only blocker I see organizations come across is licensing. It is important to note though, that the Azure AD Premium P2 licenses are only required for the accounts that use the service, the value of PIM in my opinion, more than justifies the cost of licensing.
For more information on PIM, check out the below Microsoft resources: