In this blogpost I will share my experiences with implementing Azure AD Privileged Identity Management (PIM). PIM is a service that enables you to manage, control, and monitor access to important resources in your Azure environment. These resources include resources in Azure AD, Azure, and other Microsoft Online Services like Exchange Online, SharePoint Online or Microsoft Intune.
PIM provides the following functionality:
- Just-in-time privileged access to Azure AD and Azure resources
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multi-factor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
This article will cover the following topics:
- Securing Privileged Access
- Licensing
- Accessing PIM
- Rights needed
- How to request rights using PIM
- How to configure PIM as a Privileged Role Administrator
- Adding users as Eligible to Azure AD Roles
- Modifying default role settings
- How to approve requests for administrative rights
- Reviewing all given access using Resource Audit
- Azure Resources
- Access Reviews
- Alerts
- Caveats and challenges
- Conclusion
- References
Note: This post reflects the status of Azure AD Privileged Identity Management as of March 24th 2020. Functionality may change, even right after this post has been published.
Read More