Azure AD Privileged Identity Management (Part 2)

By Ashwin Venugopal -


 

To read part 1 please click here

Microsoft Identity Management

Microsoft Identity Management or MIM helps organizations to manage the users, credentials, policies, and access within their organization and hybrid environments. MIM enables Active Directory Domain Services to help the right users and right accesses for on-premises apps. Azure AD Connect can then make those users and permissions available in Azure AD for Microsoft 365 and cloud-hosted apps.

Identity has become a common factor among many services, like Microsoft 365 and Xbox Live, where the person is the center of the services. Your digital identity is the combination of who you are and what you are allowed to do. That is

Credentials+ Privileges = digital identity

These identities have more than the normal user rights, and, if compromised allow a malicious hacker to access sensitive corporate assets. Securing these privileged identities is a critical step in establishing security assurances for business assets in a modern organization.

Steps for a passwordless world

  • Enforce MFA- Confirm to the Fast Identity Online (FIDO) 2.0 standard, so you can require a PIN and a biometric for authentication rather than a password. 
  • Reduce legacy authentication workflows- Keep apps that require a passwords into a separate user access portal and migrate users to modern authentication flows most of the time.
  • Remove passwords- Create consistency across Active Directory Domain Services and Azure Active Directory to enable administrators to remove passwords from identity directory.

Azure AD Privileged Identity Management is recommended to use as a service to help protect your privileged accounts.

Azure AD Privileged Identity Management (PIM)

With the help of Azure AD PIM service, you can manage, control, and monitor access to important resources in your organization. PIM helps mitigate the risk of excessive, unnecessary, or misused access rights.

Key PIM features

  • Providing just-in-time privileged access to Azure AD and Azure resources. IT administrators can pick an activation period between 0 and 24 hours. After the activation period, admins will have to go through the activation process again.
  • Assigning time-bound access to resources by using start and end dates. This is particularly useful in a guest scenario and if your organization have guests that are working for a specific timethe role privilege will expire automatically.
  • Requiring approval to activate privileged roles. You can designate one or more approvers who will receive an email once once a request is made. Approval is required to activate the privilege.
  • Enforcing Azure Multi-Factor Authentication (MFA) to activate any role. If your organization's MFA is already enabled, PIM will not ask the user to sign in again.
  • Using justification to understand why users activate that benefits both internal and external auditors understanding why the role was activated. 
  • Get notifications when a user is assigned a privilege and when that privilege is activated.
  • Conducting access reviews to know which users have privileged roles in the organization and if they still need them.
  • Downloading an audit history for an internal or external audit. This keeps track of all PIM events.  

Ways to use PIM

It can be used in the following ways:

  • View which users are assigned privileged roles to manage Azure resources as well as which users are assigned administrative roles in Azure AD.
  • Enable on-demand, "just-in-time"administrative access to Microsoft Online Services like Microsoft 365 and Intune, and also Azure resources of subscriptions, resource groups, and individual resources such as Virtual Machines.
  • Review a history of administrator activation, including what changes administrators made to Azure resources.
  • Review membership of administrative roles and require users to provide justification for continued membership.
  • Get alerts about changes in administrator assignments. 
  • Require approval to activate Azure AD privileged admin roles.

Roles managed in PIM

PIM allows users to assign common administrator roles including:

  • Global administrator or company administrator has access to all administrative features. The person who signs up to purchase Microsoft 365 automatically becomes a global admin.
  • Privileged role administrator manages Azure AD PIM and updates role assignments for other users.
  • Billing administrator makes purchases, manages subscriptions, support tickets, and monitors service health.
  • Password administrator resets passwords, manages service request, and monitors service health and are limited to resetting passwords for users.
  • User management administrator resets password, monitor service health, and manages user accounts, groups, and service requests.
  • Service administrator manages service requests and monitors service health.
  • Exchange administrator has administrative access to Exchange Online through the Exchange Admin Center (EAC), and can perform almost any task in SharePoint Online.
  • Skype for business administrator has administrative access to Skype for business through the Skype for business admin center, and can perform almost any task in Skype for Business Online.  

Roles within Exchange Online or SharePoint Online (except for those mentioned above), Azure subscriptions, and resource groups are not represented in Azure AD and so are not visible in PIM.

PIM Onboarding

To use PIM you need atleast one of the following paid or trial licenses- Azure AD Premium P2, Enterprise Mobility + Security (EMS) ES, or Microsoft 365 MS. 

The first Global Administrator to use PIM in your instance of Azure AD is automatically assigned the Security administrator and Privileged Role administrator roles in the directory. This person must be an eligible Azure AD user. No one else in your Azure AD organization gets access by default though other Global Administrators, Security administrators and Security readers have read-only access to PIM. First user can easily assign others to the Privileged Role Administrators role to grant them access to PIM. 

There should be at least two users in a Priveleged Role Administrator role, in case if one user is locked out or their account is deleted.

Azure AD PIM Workflow

Elevated workflow

Elevated access includes job roles that needs greater access, including support, resource administrators, resource owners, service administrators, and global administrators. We can also monitor access, audit account elevations, and receive additional alerts through a management dashboard in the Azure portal. But as the elevated accounts could be misused if they are compromised, we rationalize new requests for elevated access and perform regular re-attestation for elevated roles. 

JIT administrator access

We can assign an employee to an administrative role through the Azure portal or Windows PowerShell and that employee will become a permanent administrator and their elevated access will remain active in the assigned role. The eligible administrator is inactive until the employee needs access, then they complete an activation process and become an active administrator for a set amount of time. 

Role activation in Azure Active Directory

To activate a role, an eligible admin will initialize Azure AD PIM in the Azure portal and request a time-limited role activation. The activation is requested using the Activate my role option in Azure AD PIM. Users requesting the activation must satisfy conditional access policies to ensure that they are coming from authorized devices and locations, with verified identities through multi-factor authentication.

Tracking the use of privileged roles using the dashboard

A dashboard through the Azure portal provides centralized view of :

  • Alerts that point out opportunities to improve security.
  • The number of users who are assigned to each privileged roles.
  • The number of eligible and permanent admins.
  • Ongoing access reviews.

 We can easily track how employees and admins are using their privileged roles by viewing the audit history or by setting up a regular access review. Both the options are available on the PIM dashboard in the Azure portal.

In Azure AD, we use Azure AD PIM to manage the users and groups that we assign to built-in Azure AD organizational roles, such as Global Administrator as well as via Azure RBAC roles, including owner and contributor also.

 

To read part 1 please click here












Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more

Threat Hunting in Microsoft Sentinel (part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Introducing the Microsoft Sentinel Hunting Page Threat hunting is a series activities performed while investigating and as there are no guidelines to perform it, the available tools on the Microsoft Sentinel can be introduced to perform better in your investigations. Firstly, you have to choose the Hunting link in the Microsoft Sentinel navigation menu to get to the Hunting page which is divided into the following sections: The header bar- It is located at the top of the page as usual and contains Refresh as well as timespan drop down menu. The New Query button can help you with creating a new query and the Run all queries button can run all the hunting queries in the background while also updating the hunting query list section with the number of results found.  The summary bar- Here, you can view the total number of queries available to run, the total number of bookmarks, the number of results from running live
Read more