On August 13th 2020, Alex Simons (Microsoft Identity PM) announced that assigning groups to Azure AD roles in now in public preview. This feature is one of the most requested features to be found in the Azure AD feedback forum.
I have been following this feature request for a while now, and up until recently Microsoft stated that implementing Azure AD role assignment for Azure AD groups wasn’t the issue, the issue was more related to who is able to manage those groups. For example, if enabled how can we circumvent that someone with the “User Administrator” role (capable of adding users to groups) is capable of adding someone to the group used to assign Global Administrator rights. When implemented incorrectly, this new “feature” could then introduce a new security risk in your environment.
Assigning groups to Azure AD roles requires an Azure AD Premium P1 license at minimum, for the Privileged Identity Functionality an Azure AD Premium P2 license is needed.
Disclaimer: This post reflects the status of assigning groups to Azure AD roles as of August 20, 2020. Functionality may change, even right after this post has been published.
So, let’s walk through on what was announced and see..
In this blogpost I will share my experiences with implementing Azure AD Privileged Identity Management (PIM). PIM is a service that enables you to manage, control, and monitor access to important resources in your Azure environment. These resources include resources in Azure AD, Azure, and other Microsoft Online Services like Exchange Online, SharePoint Online or Microsoft Intune.
PIM provides the following functionality:
- Just-in-time privileged access to Azure AD and Azure resources
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multi-factor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
This article will cover the following topics:
Note: This post
reflects the status of Azure AD Privileged Identity Management as of March 24th
2020. Functionality may change, even right after this post has been published.
default, on Windows 10 devices which are Azure AD joined, the user performing
the join is added to the Local Administrator group. Besides the user and the
local administrator (which is disabled by default), two other SIDs are added
without any friendly name which explain who they are. So where are those SIDs
possible to make the user a normal user while enrolling the device, but then
you have to create a Deployment Profile and use Windows Autopilot. See: Configure
Autopilot profiles or use Bulk enrollment. See: Bulk
enrollment for Windows devices
Note: This post reflects the status of Azure AD
local administrative privileges as of February 11th 2020. Functionality may
change, even right after this post has been published.