How to setup Azure Priviliged Identity Management (PIM) – Manual

Privileged Identity Management is a service in Azure that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Microsoft 365 or Microsoft Intune.

Microsoft Azure PIM overview

Why should you use it?

Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of

  • a malicious actor getting access
  • an authorized user inadvertently impacting a sensitive resource

However, users still need to carry out privileged operations in Azure AD, Azure, Microsoft 365, or SaaS apps. Organizations can give users just-in-time privileged access to Azure and Azure AD resources and can oversee what those users are doing with their privileged access.

You assign users the role with the least privileges necessary to perform their tasks. This practice minimizes the number of Global Administrators and instead uses specific administrator roles for certain scenarios.

Licensing

Before you can use Privileged Identity Management you will need to purchase one of the following licenses, these might be included in other licenses like Microsoft E5.

  • Azure AD Premium P2
  • Enterprise Mobility + Security (EMS) E5

What’s in it

Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:

  • Provide just-in-time privileged access to Azure AD and Azure resources
  • Assign time-bound access to resources using start and end dates
  • Require approval to activate privileged roles
  • Enforce multi-factor authentication to activate any role
  • Use justification to understand why users activate
  • Get notifications when privileged roles are activated
  • Conduct access reviews to ensure users still need roles
  • Download audit history for internal or external audit
  • Prevents removal of the last active Global Administrator role assignment

MANUAL

Now lets get started with setting up Azure PIM. In this little manual I want to give you a quick start how to assign and active roles. I will do this with my Global Admin account. You can use this example for groups and other users and roles.

STEP 1: Go to the Azure portal: https://portal.azure.com and from the search bar search for Privileged Identity Management and go to Azure AD Roles

Azure Privileged Identity Management Azure AD roles

Step 2: Lets start assigning the role, go to Assign Eligibility

Azure AD Privileged Identity Management

In the next screen you can see currently active assignments (and permenant roles) as well as the Eligible accounts. Let’s assign my account the Global Admin role. Click on Add assignments

Azure AD role assignment

Assign the membership, for this manual I’ve chosen to select just my admin account, but for most roles I recommend to use groups instead. Click Next when done

Add Azure AD membership

In the following step choose the assignment, and a start and end date for the eligibility.

add assignement azure ad

STEP 3: Change role and assignment

Once completed go to Roles, search for the Global Administrator role, and click on it.

azure ad Roles add assignment

Click on Role Settings

Global administrater assignments

Click on Edit to change the default settings

Azure AD role settings

Now we can adjust the default settings to fit your requirements. I prefer to change the duration to 2 hours for the Global admin role. I recommend to always require MFA, regardless the role.

Edit role settings azure ad privileged identity management

In the next step you can choose to assignment.

privileged identity management edit role settings

You might want to change the notification template. When done click on Update.

privileged identity management edit role settings

When completed, you can remove the user from the permanent role.

STEP 4: Activate role assignment.

From the Privileged Identity Management portal you can now activate the Global Administrator role:

Azure ad roles activate privileged identity management

Fill in the Reason, and click on Activate.

privileged identity management assign role

Within a few moments you should have global admin permissions.

activate role assignment privileged identity management

Add a Comment

Your email address will not be published. Required fields are marked *