Privileged Identity Management

 PIM:

    Privileged identity management is a service that enables us to manage, control and monitor access to important resources in the organization. These resources include resources like Entra ID, Azure and other online services like M365 or Intune.

Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about.

·         Provide just-in-time privileged access to Microsoft Entra ID and Azure resources

·         Assign time-bound access to resources using start and end dates

·         Require approval to activate privileged roles

·         Enforce multi-factor authentication to activate any role

·         Use justification to understand why users activate

·         Get notifications when privileged roles are activated

·         Conduct access reviews to ensure users still need roles

·         Download audit history for internal or external audit

·         Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments

 

P2 licence is required to access PIM. Only Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments.

What can you manage in PIM

Today, you can use PIM with:

Microsoft Entra rolesSometimes referred to as directory roles, Microsoft Entra roles include built-in and custom roles to manage Microsoft Entra ID and other Microsoft 365 online services.

Azure roles The role-based access control (RBAC) roles in Azure that grants access to management groups, subscriptions, resource groups, and resources.

PIM for GroupsTo set up just-in-time access to member and owner role of a Microsoft Entra security group. PIM foar Groups not only gives you an alternative way to set up PIM for Microsoft Entra roles and Azure roles, but also allows you to set up PIM for other permissions across Microsoft online services like Intune, Azure Key Vaults, and Azure Information Protection. If the group is configured for app provisioning, activation of group membership triggers provisioning of group membership (and the user account, if it wasn’t provisioned) to the application using the System for Cross-Domain Identity Management (SCIM) protocol.

You can assign the following to these roles or groups:

Users- To get just-in-time access to Microsoft Entra roles, Azure roles, and PIM for Groups.

Groups- Anyone in a group to get just-in-time access to Microsoft Entra roles and Azure roles. For Microsoft Entra roles, the group must be a newly created cloud group that’s marked as assignable to a role while for Azure roles, the group can be any Microsoft Entra security group. We don't recommend assigning/nesting a group to a PIM for Groups.

PIM role assignments give you a secure way to grant access to resources in your organization. 

Below are major tasks which can be done using PIM:

        1. Assign roles to members (role assignment)

                    a. Eligible assignments - require the member of the role to perform an action to use the role.

                    b. Active assignments - don't require the member to perform any action to use the role.

 

        2. Activate Assignments                                       

        3. Approve or deny requests

        4. Extend and renew assignment

For easy to understand below are the use cases for PIM. 

 A permanent role assignment to USERA for the Security Administrator role.

 Configure the USERA user to be eligible for the Billing Administrator and Global Reader roles. 

 Configure the Global Reader role activation to require approval of the GLOBAL ADMIN user 

 Configure an access review of the Global Reader role and review auditing capabilities

 

Privileged Identity Management documentation | Microsoft Learn

 

 

 

 

 

Comments

Post a Comment

Popular posts from this blog

On-premise Database to Azure Database using DMA (Data Migration Assistant)

Image
Database Migration: In this exercise, we are going to see how to migrate on-premise SQl DB to Azure SQL DB Azure Migrate: Create Azure Migrate project for Databases only. Onprem DB: Name of the on-premise DB is ‘OnpremDB’ ‘MigratefromOnprem’ is the Azure SQL Database.   Install Data Migration Assistant on On-prem server which has full access to SQL DB server. DMA tool helps to conduct the assessment to check the dependency and compatibility. Once done we can run the migration. Create a Project: Check DB compatibility and Feature parity for an assessment Add source DB for an assessment Once assessment is done, upload the assessment to Azure Migrate Project   ‘ Onprem2AzureSQL’ Assessment is now reflected in Azure Migrate project   Create Migration project in DMA: Configure Source and Target SQL DB details Select the target DB where the Source DB will migrate to Select the Source Object to Migrate and generat...
Read more

Entra Connect/Azure AD Connect V2

Image
On-prem AD to Azure AD Synchronization using Azure AD Connect                                 Azure AD Connect is a tool which helps to synchronize the On-premises AD Directory with the Azure AD Directory. I have the following domain in my both On-prem and Azure AD Directory. On-prem AD Domain: topathirazure.online Azure AD Domain: topathirazure.online If the same domain is not found in the Azure AD, all users will get sync’d with the default directory’s primary domain. Below are the users who are part of On-prem AD. I want these users to use the cloud VMs/Applications hosted in Azure Cloud. For that I need to sync the users from On-prem to Azure AD. We cannot Sync Azure AD users to On-prem. Below users are currently available in the Azure AD Tenant. To sync the ...
Read more

Azure VPN Gateway

Image
  Azure VPN Gateway:             Azure VPN gateway is a service that uses a specific type of virtual network gateway to send encrypted traffic between an Azure virtual network and on-premises location over the public Internet. We can also use VPN gateway to send an encrypted traffic between Azure virtual network over MS network. When we create multiple connections, all VPN tunnels share the available bandwidth.             VPN gateway is composed of 2 or more Azure managed VMs deployed in a specific subnet called GatewaySubnet. The Gateway VMs contains routing table and run specific gateway services.             Gateway Type determines how the virtual network gateway will be used.             A virtual network can have 2 virtual network gateways. 1. ...
Read more