Azure Identity And Access Management Part 11 – Azure Active Directory – Privileged Identity Management (PIM)
Hope you all are doing good !!! and Thank you all for your valuable suggestions for our last Azure Series Learn Basics Of Azure Networking In 60 Hours.
In our last articles we have discussed on, how to configure Azure AD Identity Protection. Today In this article, we will continue exploring Azure AD and discuss about a very important service is Azure AD Privileged Identity Management ( PIM).
If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.
Privileged Identity Management ( PIM) :
Azure AD PIM is a premium feature that manage the life-cycle of role assignments, enforce just-in-time access policy, and discover who has what roles. Azure Active Directory Privileged Identity Management (PIM) is a service that enables us to handle following tasks, to important resources in our organization like resources in Azure AD, Azure and other online services.
- Manage access
- Control access
- Monitor access
License Requirement :
To avail Privileged Identity Management service, our directory must have one of the following paid or trial licenses.
- Azure AD Premium P2
- Enterprise Mobility + Security (EMS) E5
- Microsoft 365 M5
Key Features Of PIM :
- Provide just-in-time privileged access to Azure AD and Azure resources
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multi-factor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
Benefits Of PIM :
- Reduce costs – The net result is a reduction of cyber crimes associated with privileged identities, which are costly and difficult to recover from.
- Manage Risk — Secure your organization by enforcing the principle of least privilege access and just-in-time access.
- Address Compliance And Governance –You will also be able to view and receive notifications for all assignments of permanent and eligible roles inside your organization. Through access review, you can regularly audit and remove unnecessary privileged identities and make sure your organization is compliant with the most rigorous identity, access, and security standards.
Roles Managed By PIM :
- Azure AD Roles – These roles are all in Azure Active Directory (such as Global Administrator, Exchange Administrator, and Security Administrator).
- Azure Resource Roles – These roles are linked to an Azure resource, resource group, subscription, or management group. Privileged Identity Management (PIM) provides just-in-time access to both built-in roles like Owner, User Access Administrator, and Contributor, as well as custom roles. today’s exercise of this article is based on Contributor role of Azure Resource.
Workflow Of Privileged Identity Management works :
- Privileged Identity Management is set up so that users are eligible for privileged roles.
- When an eligible user needs to use their privileged role, they activate the role in Privileged Identity Management.
- Depending on the Privileged Identity Management settings configured for the role, the user must complete certain steps (such as performing multi-factor authentication, getting approval, or specifying a reason.)
- Once the user successfully activates their role, they will get the role for a pre-configured time period.
- Administrators can view a history of all Privileged Identity Management activities in the audit log. They can also further secure their Azure AD organizations and meet compliance using Privileged Identity Management features like access reviews and alerts.
Role Assignment Type :
Privileged Identity Management (PIM) provides two distinct assignment types:
- Eligible Assignments – It require the member of that role, to perform an action to use that role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers. IT is for a specific period of time, after that, it will be deactivate and user needs to activate it again. We will see this in our example.
- Active Assignments – It don’t require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.
Permission Require To Configure PIM :
- For Azure AD a user who is in the Privileged role administrator or Global administrator role can manage assignments for other administrators.
- For Azure Resource a subscription administrator, a resource Owner, or a resource User Access administrator can manage assignments for other administrators.
User Case Of Exercise :
So far so good !!!, we have discussed the theoretically part of Azure AD PIM and get to know some basic fundamental of PIM. Now we will move forward for a lab exercise. As we discussed, We can manage both roles ( Azure AD roles and Azure Resource role ) through PIM. Today in this exercise, we will discuss, how can we assign an Azure Resource Roll to a user “email@example.com“. Also we will see how can admin remove the assignment once the requirement is done. So let’s start with exercise and follow the below steps.
Step 1 – After login to portal, first confirm you have required licence with you. As showing in the following figure, we have Azure AD Premium P2 licence and we have Privileged Identity Management ( PIM) service.
Step 2 – Go to market place and try to find Azure AD Privileged Identity Management service.
Step 3 – As today we will work on Azure Resource Roles, the very first thing need to do is allow Access management for Azure Resources by set the value to yes as shown in the following figure. The option can be found from properties page of Azure Active Directory.
Step 4 – As we discussed, our objective is to deploy Privileged Identity Management for Azure resources, we should first discover Azure resources to manage in Privileged Identity Management. Only owners of subscriptions and management groups can discover and onboard these resources onto Privileged Identity Management. To proceed for this task, go to Open Azure AD Privileged Identity Management => Select Azure resources . If we are the first user to access this page we will see a empty page with discovery image and we have to click discovery to onboard our required resource. If we are not the first user to access this page, then there will be list of resources and there will be a Discover Resources button to onboard more resources to the list. As in the following figure we are on-boarding the complete subscription as per the requirement.
After it is on boarded, the PIM functionality is available for owners at all levels including management group, subscription, resource group, and resource.
Step 5 – Let’s find our all roles of our on-boarded subscription for that let’s click on our on-boarded resource ( On-Boarded subscription) and select Roles from Manage section as shown in the following figure.
Step 6 – AS we are going to work with Contributor role, let’s find it by searching the name as shown in the following figure.
now we are in Contributor Role page. We have multiple options to check here. One is + Add Assignments button and the other one is Setting let’s first check with the Setting option .
Step 7 – As we discussed in the above point, we will edit the settings of the Contributor role as per our requirement. There are 3 different sections (Activation, Assignment, Notification) which can be configured, when we are editing a role setting. To proceed, as highlighted in the above figure, click on Setting button and it will take us to Edit role Setting page as shown in the following figure.
Step 8 – The above figure showing the Activation section of edit role. This section is only for a user wants to activate the assignment. As per the configuration, in this section, the assigned user has to go- through the test. for example, in the above figure, we have following configurations.
- Activation Maximum Duration is set
- On activation MFA required
- Justification required on Activation
- Ticket Information required, if user need this access for a ticket request
- Approval required from a specific user/group for activation.
We will see this in our exercise, when our end user will activate the role assignment.
Step 9 – The next section is Assignment, and this is for the admin or assignee of the role, her i am not going to very detail as we can see in the following figure.
Step 10 – The next and last section is Notification, and and her I kept the default setting as shown in the following figure. But you can change it as per your requirement.
Step 11 – After Setting, now time comes to + Add Assignments for the Contributor Role. Here also two sections and the first section is Membership section. In this section we need to select required Groups/Users to whom we want to add as shown in the following figure, we have select ‘Ashok@manasmoharanagmail.onmicros‘.
Step 12 – The next section is Settings. This is very important section, where we need to configure, What type of assignment user required, whether Eligible or Active. Also in this section we need to configure the Assignment Start and End time as shown in the following figure and press Assign button.
Step 13 – As showing in the following figure, the new role assignment is added for end user ‘Ashk Kumar‘. The Admin can now see the role assignment in his portal under the Contributor Role. Also there is options available for admin, to Update or Remove the assignment, when ever organization want want to or if there is no requirement of this role assignment. Later in this article, we will see how to Remove the role assignment.
Step 14 – Let’s log-in to the portal using our test-user credential in a different browser or in a private browser. Go to Azure AD Privileged Identity Management => Select My Roles => Azure Resources. As showing in the following figure, the new role assignment is added for end user ‘Ashk Kumar‘. Also as we can see the role assignment type is Eligible Role. This means this role will be activate for a specific period of time.
Step 15 – Before we, activate the role, lets check, if the user has already any permission granted for the portal. As we can see in the following figure, user ‘Ashk Kumar’ has no access to the portal yet.
Step 15 – It is time to activate the role and see how it is going . As shown in the following figure, Click on Activate link to proceed with the activation of role.
Step 16 – There are 3 different section in the activation window. Following figure showing the details of the Role section. This section, providing information about the role assignment and the next one is showing the scope of the role assignment.
Step 17 – Now in he following Activate section we can see, there is a button to activate the role assignment. But before that, we need to provide all required information.
Step 18 – When user click on Activate button, it triggers a workflow and the length of the workflow depends on the Activation Setting of the Role, which we discussed in Step – 7 . In our case, the user has go for MFA and then the activation request needs to be approved by selected admin. Also user needs to provide the justification with the ticket number for which user need the access rights. As in the following figures, it is asking for MFA.
Step 19- As per the workflow, after user successfully clear the MFA, the activation request will go for the approval from the selected admin. As we can see in the following figure the activation is pending for the approval.
Step 20 – To approve he request, Let’s log-in to the portal using Admin’s credential and move to Approve Request page under Tasks. We can see there is one approve request from ‘Ashk Kumar’ for Contributor role. Let’s Approve it as shown in the following figure.
Step 21 – Let’s again go back to user’s dashboard and see what’s happening there. In the following figures the Status says the activation is success and we need to Sign Out and Log -In again to make it effective.
Following notification shows the end of the activation workflow.
Step 22 – After Activation, as per the configuration of alert , admin should get a notification by mail and in the following figure, we can see the e-mail notification came to admin after role assignment activation completed.
Step 23 – Let’s go to use’s portal and verify if the user has now sufficient permissions to fulfill the requirement. As shown in the following figure, user can access the VM and perform the required task.
Step 24 – User can also check / verify their audit history by going to My audit history page as shown in the following figure.
Step 25 – Admin can also check / verify the activity details of a role assignment by checking activity details page as shown in the following figure.
Step 26 – Let’s go back to the Admin’s portal and verify that, if the role assignment is still required, need any update or need to extend. If user request the permission for a short period of time to perform a specific task then after that time period the active role assignment will be automatically expired and Admin will get a notification as shown in the following figure.
As we can see in the following figure there are 3 options available like Remove,Update and Extend. Let’s Remove the assigned role. As shown in the following figure we need to confirm before Remove the role assignment.
Step 27 – Once admin removed the role assignment for Contributor, the role will be automatically removed from user’s portal as shown in the following figure.
Power-Shell Support To Manage Azure AD PIM :
Microsoft provides following PowerShell commands to manage Azure AD PIM. As I have tried to collect and put all important points in this article with one practical exercise, this article’s length is already crossed all limits 🙂 . So here I don’t want to add any extra content and I have just given the powershell commands here , if any one want to explore it, just need to copy the command and find the details of this command in internet. If time permit, I will write a separate article with examples for this powershell commands 🙂 .
- Add-AzureADMSPrivilegedResource : Use this API to add a new azure AD MS privileged resource
- Close-AzureADMSPrivilegedRoleAssignmentRequest : Cancel a AzureADMSPrivilegedRoleAssignmentRequest
- Get-AzureADMSPrivilegedResource : Get azure AD MS privileged resource
- Get-AzureADMSPrivilegedRoleAssignment : Get role assignments for a specific provider and resource
- Get-AzureADMSPrivilegedRoleAssignmentRequest : Get role assignment request for a specific resource
- Get-AzureADMSPrivilegedRoleDefinition : Get role definitions
- Get-AzureADMSPrivilegedRoleSetting : Get role settings
- Open-AzureADMSPrivilegedRoleAssignmentRequest : Create a role assignment request
- Set-AzureADMSPrivilegedRoleAssignmentRequest : Update a role assignment request
- Set-AzureADMSPrivilegedRoleSetting : Update role setting
I hope, this article help you to understand the basic concept of Azure AD PIM.
As I am exploring the Azure Identity and Access Management (IAM). Please let me know if I missed anything important or if my understanding is not up to mark. In my next article we will continue one more feature of Azure AD.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
Thanks for reading 🙂 .