Privileged Identity Management

By Ashwin Venugopal -

 






Privileged Identity Management (PIM) in Azure AD

Azure AD PIM helps you to manage, control, and monitor access within your organization along with the access to resources in Azure AD, Azure resources, and the other Microsoft Online Services such as Microsoft 365 as well as Microsoft Intune. It doesn't eliminate the requirement for users to carry out privileged operations in Azure AD, Azure, Office 365, and Software as a Service (SaaS) apps. PIM also helps to mitigate the risk of excessive, unnecessary, or misused accessed rights. The key features of PIM are:
  1. Providing just-in-time privileged access to Azure AD and Azure resources. 
  2. Assigning time-bound access to resources by using start and end dates.
  3. Requiring approval to activate privileged roles.
  4. Enforcing Azure Multi-factor Authentication (MFA) to activate any role.
  5. Using justification to understand why users activate.
  6. Getting notifications when privileged roles are activated. 
  7. Conducting access reviews to ensure that users still need roles.
  8. Downloading an audit history for an internal or external audit. 

  Prerequisites

You will require one of the following paid or trial licenses to be able to use PIM:
  1. Azure AD Premium P2
  2. Enterprise Mobility + Security (EMS) E5 

Configure PIM

The first person to use PIM in your instance of Azure AD is automatically assigned the Security Administrator and Privileged Role Administrator roles in the directory, must be an eligible Azure AD user too. You can also choose to run the security wizard that can walk you through the initial discovery and assignment experience. In addition, the users or members of a group assigned to the Owner or User Access Administrator roles, and Global Administrators that allows subscription management in Azure AD are Resource Administrators who can assign roles, configure role settings, and review access with the help of PIM for Azure resources. 

Steps for PIM Setup

  1. Discover Azure resources from Azure AD Privileged Management blade.
  2. Grant access to other personnel to manage PIM- The default Global Administrator assigns others to the Privileged Role Administrator.
  3. Elevate access for a Global Administrator- This one enables you to view all the resources and assign access in any subscription or management group in the directory. 

Audit PIM

You can also use PIM audit history to view all the user assignments as well as activations within a given time period for all privileged roles. However, to view the entire audit history of activity in your tenant, along with the administrator, end user, and synchronization activity, you have to use the Azure AD access and usage reports. 

Navigate to audit history

You can select the Azure AD PIM app on the Azure portal dashboard and from there access the audit history by clicking Manage privileged roles > Audit history in the PIM dashboard. 

Audit History Graph

Audit history can be used to view the total activations, max activations per day, and average activations per day in a line graph while also filtering the data by role if there is more than one role in the audit history. 

Microsoft Identity Manager (MIM)

It allows the organizations to manage the users, credentials policies, and access within their organizations and hybrid environments. It simplifies the identity lifecycle management with the help of automated workflows, business rules, and easy integration with heterogenous platforms across the datacenter. MIM also enables AD to have right users and access rights for on-premises app. On-premises AD, Azure AD, or a hybrid combination of the two, all can provide services for the user and device authentication, identity and role management, and provisioning.

Hybrid Identities

Nowadays, identity has become a common factor among many services such as Microsoft Office 365 and Xbox Live, where the person is the center of services. Your digital identity is the combination of who you are and what you're allowed to do i.e.:

Credentials + Privileges = digital identity

As these identities have more than the normal user rights, if they are compromised then, it can allow malicious hacker to access sensitive corporate assets; hence, securing these privileged identities is a crucial step to establish security assurances for business assets in a modern organization. Azure AD PIM  is recommended as the service to help protect your privileged accounts. 

Evolution of identities

The following steps can be taken for a password-less world:

  • Enforce MFA- Conform to Fast Identity Online (FIDO) 2.0 standard, so you will need a PIN and a biometric for authentication rather than a password. Windows Hello is a good example, but use the MFA method that works for your organization. 

  • Reduce legacy authentication workflows- The apps that requires password can be placed into a separate user access portal and migrate the users to modern authentication flows most of the time. At Microsoft only 10% of the users enter a password on a given day.

  • Remove passwords- Create consistency across Azure AD and AD to allow the administrators to remove passwords from identity directory.     










































Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more