Skip to main content

Assigning groups to Azure AD roles and Privileged access groups, a first look!

On August 13th 2020, Alex Simons (Microsoft Identity PM) announced that assigning groups to Azure AD roles in now in public preview. This feature is one of the most requested features to be found in the Azure AD feedback forum.

I have been following this feature request for a while now, and up until recently Microsoft stated that implementing Azure AD role assignment for Azure AD groups wasn’t the issue, the issue was more related to who is able to manage those groups. For example, if enabled how can we circumvent that someone with the “User Administrator” role (capable of adding users to groups) is capable of adding someone to the group used to assign Global Administrator rights. When implemented incorrectly, this new “feature” could then introduce a new security risk in your environment.

Assigning groups to Azure AD roles requires an Azure AD Premium P1 license at minimum, for the Privileged Identity Functionality an Azure AD Premium P2 license is needed.

Disclaimer: This post reflects the status of assigning groups to Azure AD roles as of August 20, 2020. Functionality may change, even right after this post has been published.

So, let’s walk through on what was announced and see..

Read More

Lessons learned while implementing Azure AD Privileged Identity Management (PIM)

In this blogpost I will share my experiences with implementing Azure AD Privileged Identity Management (PIM).  PIM is a service that enables you to manage, control, and monitor access to important resources in your Azure environment. These resources include resources in Azure AD, Azure, and other Microsoft Online Services like Exchange Online, SharePoint Online or Microsoft Intune. 

PIM provides the following functionality: 

  • Just-in-time privileged access to Azure AD and Azure resources 
  • Assign time-bound access to resources using start and end dates 
  • Require approval to activate privileged roles 
  • Enforce multi-factor authentication to activate any role 
  • Use justification to understand why users activate 
  • Get notifications when privileged roles are activated 
  • Conduct access reviews to ensure users still need roles 
  • Download audit history for internal or external audit 

This article will cover the following topics:

Note: This post reflects the status of Azure AD Privileged Identity Management as of March 24th 2020. Functionality may change, even right after this post has been published.

Read More