How to setup Azure Priviliged Identity Management (PIM) – Manual
Privileged Identity Management is a service in Azure that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Microsoft 365 or Microsoft Intune.
Why should you use it?
Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of
- a malicious actor getting access
- an authorized user inadvertently impacting a sensitive resource
However, users still need to carry out privileged operations in Azure AD, Azure, Microsoft 365, or SaaS apps. Organizations can give users just-in-time privileged access to Azure and Azure AD resources and can oversee what those users are doing with their privileged access.
You assign users the role with the least privileges necessary to perform their tasks. This practice minimizes the number of Global Administrators and instead uses specific administrator roles for certain scenarios.
Licensing
Before you can use Privileged Identity Management you will need to purchase one of the following licenses, these might be included in other licenses like Microsoft E5.
- Azure AD Premium P2
- Enterprise Mobility + Security (EMS) E5
What’s in it
Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:
- Provide just-in-time privileged access to Azure AD and Azure resources
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multi-factor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
- Prevents removal of the last active Global Administrator role assignment
MANUAL
Now lets get started with setting up Azure PIM. In this little manual I want to give you a quick start how to assign and active roles. I will do this with my Global Admin account. You can use this example for groups and other users and roles.
STEP 1: Go to the Azure portal: https://portal.azure.com and from the search bar search for Privileged Identity Management and go to Azure AD Roles
Step 2: Lets start assigning the role, go to Assign Eligibility
In the next screen you can see currently active assignments (and permenant roles) as well as the Eligible accounts. Let’s assign my account the Global Admin role. Click on Add assignments
Assign the membership, for this manual I’ve chosen to select just my admin account, but for most roles I recommend to use groups instead. Click Next when done
In the following step choose the assignment, and a start and end date for the eligibility.
STEP 3: Change role and assignment
Once completed go to Roles, search for the Global Administrator role, and click on it.
Click on Role Settings
Click on Edit to change the default settings
Now we can adjust the default settings to fit your requirements. I prefer to change the duration to 2 hours for the Global admin role. I recommend to always require MFA, regardless the role.
In the next step you can choose to assignment.
You might want to change the notification template. When done click on Update.
When completed, you can remove the user from the permanent role.
STEP 4: Activate role assignment.
From the Privileged Identity Management portal you can now activate the Global Administrator role:
Fill in the Reason, and click on Activate.
Within a few moments you should have global admin permissions.