Azure AD Privileged Identity Management (Part 2)


 

To read part 1 please click here

Microsoft Identity Management

Microsoft Identity Management or MIM helps organizations to manage the users, credentials, policies, and access within their organization and hybrid environments. MIM enables Active Directory Domain Services to help the right users and right accesses for on-premises apps. Azure AD Connect can then make those users and permissions available in Azure AD for Microsoft 365 and cloud-hosted apps.

Identity has become a common factor among many services, like Microsoft 365 and Xbox Live, where the person is the center of the services. Your digital identity is the combination of who you are and what you are allowed to do. That is

Credentials+ Privileges = digital identity

These identities have more than the normal user rights, and, if compromised allow a malicious hacker to access sensitive corporate assets. Securing these privileged identities is a critical step in establishing security assurances for business assets in a modern organization.

Steps for a passwordless world

  • Enforce MFA- Confirm to the Fast Identity Online (FIDO) 2.0 standard, so you can require a PIN and a biometric for authentication rather than a password. 
  • Reduce legacy authentication workflows- Keep apps that require a passwords into a separate user access portal and migrate users to modern authentication flows most of the time.
  • Remove passwords- Create consistency across Active Directory Domain Services and Azure Active Directory to enable administrators to remove passwords from identity directory.

Azure AD Privileged Identity Management is recommended to use as a service to help protect your privileged accounts.

Azure AD Privileged Identity Management (PIM)

With the help of Azure AD PIM service, you can manage, control, and monitor access to important resources in your organization. PIM helps mitigate the risk of excessive, unnecessary, or misused access rights.

Key PIM features

  • Providing just-in-time privileged access to Azure AD and Azure resources. IT administrators can pick an activation period between 0 and 24 hours. After the activation period, admins will have to go through the activation process again.
  • Assigning time-bound access to resources by using start and end dates. This is particularly useful in a guest scenario and if your organization have guests that are working for a specific timethe role privilege will expire automatically.
  • Requiring approval to activate privileged roles. You can designate one or more approvers who will receive an email once once a request is made. Approval is required to activate the privilege.
  • Enforcing Azure Multi-Factor Authentication (MFA) to activate any role. If your organization's MFA is already enabled, PIM will not ask the user to sign in again.
  • Using justification to understand why users activate that benefits both internal and external auditors understanding why the role was activated. 
  • Get notifications when a user is assigned a privilege and when that privilege is activated.
  • Conducting access reviews to know which users have privileged roles in the organization and if they still need them.
  • Downloading an audit history for an internal or external audit. This keeps track of all PIM events.  

Ways to use PIM

It can be used in the following ways:

  • View which users are assigned privileged roles to manage Azure resources as well as which users are assigned administrative roles in Azure AD.
  • Enable on-demand, "just-in-time"administrative access to Microsoft Online Services like Microsoft 365 and Intune, and also Azure resources of subscriptions, resource groups, and individual resources such as Virtual Machines.
  • Review a history of administrator activation, including what changes administrators made to Azure resources.
  • Review membership of administrative roles and require users to provide justification for continued membership.
  • Get alerts about changes in administrator assignments. 
  • Require approval to activate Azure AD privileged admin roles.

Roles managed in PIM

PIM allows users to assign common administrator roles including:

  • Global administrator or company administrator has access to all administrative features. The person who signs up to purchase Microsoft 365 automatically becomes a global admin.
  • Privileged role administrator manages Azure AD PIM and updates role assignments for other users.
  • Billing administrator makes purchases, manages subscriptions, support tickets, and monitors service health.
  • Password administrator resets passwords, manages service request, and monitors service health and are limited to resetting passwords for users.
  • User management administrator resets password, monitor service health, and manages user accounts, groups, and service requests.
  • Service administrator manages service requests and monitors service health.
  • Exchange administrator has administrative access to Exchange Online through the Exchange Admin Center (EAC), and can perform almost any task in SharePoint Online.
  • Skype for business administrator has administrative access to Skype for business through the Skype for business admin center, and can perform almost any task in Skype for Business Online.  

Roles within Exchange Online or SharePoint Online (except for those mentioned above), Azure subscriptions, and resource groups are not represented in Azure AD and so are not visible in PIM.

PIM Onboarding

To use PIM you need atleast one of the following paid or trial licenses- Azure AD Premium P2, Enterprise Mobility + Security (EMS) ES, or Microsoft 365 MS. 

The first Global Administrator to use PIM in your instance of Azure AD is automatically assigned the Security administrator and Privileged Role administrator roles in the directory. This person must be an eligible Azure AD user. No one else in your Azure AD organization gets access by default though other Global Administrators, Security administrators and Security readers have read-only access to PIM. First user can easily assign others to the Privileged Role Administrators role to grant them access to PIM. 

There should be at least two users in a Priveleged Role Administrator role, in case if one user is locked out or their account is deleted.

Azure AD PIM Workflow

Elevated workflow

Elevated access includes job roles that needs greater access, including support, resource administrators, resource owners, service administrators, and global administrators. We can also monitor access, audit account elevations, and receive additional alerts through a management dashboard in the Azure portal. But as the elevated accounts could be misused if they are compromised, we rationalize new requests for elevated access and perform regular re-attestation for elevated roles. 

JIT administrator access

We can assign an employee to an administrative role through the Azure portal or Windows PowerShell and that employee will become a permanent administrator and their elevated access will remain active in the assigned role. The eligible administrator is inactive until the employee needs access, then they complete an activation process and become an active administrator for a set amount of time. 

Role activation in Azure Active Directory

To activate a role, an eligible admin will initialize Azure AD PIM in the Azure portal and request a time-limited role activation. The activation is requested using the Activate my role option in Azure AD PIM. Users requesting the activation must satisfy conditional access policies to ensure that they are coming from authorized devices and locations, with verified identities through multi-factor authentication.

Tracking the use of privileged roles using the dashboard

A dashboard through the Azure portal provides centralized view of :

  • Alerts that point out opportunities to improve security.
  • The number of users who are assigned to each privileged roles.
  • The number of eligible and permanent admins.
  • Ongoing access reviews.

 We can easily track how employees and admins are using their privileged roles by viewing the audit history or by setting up a regular access review. Both the options are available on the PIM dashboard in the Azure portal.

In Azure AD, we use Azure AD PIM to manage the users and groups that we assign to built-in Azure AD organizational roles, such as Global Administrator as well as via Azure RBAC roles, including owner and contributor also.

 

To read part 1 please click here












Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)