In Azure

Azure AD Identity Governance – Privileged Identity Management

No Comments

Hi There,

This will be the fourth and the last article from the Azure AD Identity Governance series.
And today, I would like to show you Privileged Identity Management (PIM).

The previous articles are available here:

Privileged Identity Management Overview

Let me tell you a story about MR. X.

MR. X is a Global Administrator (GA) in the Company XYZ.
All the time, he is using a GA account to administer Azure AD, resources, etc.
One day his account was compromised, and then bad things happened…

I think you already discovered one potential security issue with MR.X – Compromising his account means having keys to the kingdom.

Don’t be like MR.X be smart use PIM…

According to well know Microsoft documentation:

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization.

https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

From my point of view, PIM is a great tool that you can use to enable Just-in-time (JIT) model for:

  • Directory roles management – limit directory roles for a timeframe
  • Resources roles management – limit resources roles for a timeframe
  • Privilege access groups management (Preview) – limit group membership for a timeframe.

There are more key points why to use PIM like:

  • Time-bound access to resources
  • Approval requirement
  • MFA usage
  • Justification
  • Notifications
  • Audit history
  • Access reviews

In other words – PIM can make your environment more secure by limiting the time when highly privileged roles are active and limiting them to a specific group of users

NOTE!

PIM requires an Azure AD P2 license as this is a part of the Azure Identity Governance

PIM Workflow

For every type of PIM usage, the workflow looks the same, actually, from my point of view, there are two workflows:

  1. Configuring PIM
  2. Requesting roles through PIM

Configuring PIM

Before we can request roles by PIM we need to configure it.

It doesn’t matter if you want to configure Directory Roles or Resource Roles always it looks the same.

PIM configuration workflow

The diagram above depicted the workflow from an administering point of view:

  1. Global Administrator has to go to the PIM (AzureAD / Identity Governance) and for each role that should be covered by this solution, configure settings like:
    • Activation time
    • Justification
    • Approval
    • Notification
    • MFA requirement
    • etc.
  2. GA has to configure assignments – who can request this role using PIM.

When all those configurations are done, assigned users could start using the solution.

Requesting roles

The dagram below depicts the PIM requesting roles workflow

Roles requesting workflow
  1. In this case, User1 was assigned for an Exchange Administrator role.
  2. User1 goes to PIM and requests a role providing the required information.
  3. The request was moved to the Global Admin user (as a part of the configuration, of course, there is a possibility to configure approvals not only for GA role holders) for approval.
  4. Global Admin user decides if he wants to accept the request or reject it.
  5. If the decision was to accept the request, PIM starts the assignment process for User1
  6. User 1 receives the requested role for a specific time (configured within the Exchange Administrator role)
  7. When the assignment expires User 1 will be removed from the role.

Configuration

Below we are going to touch on a couple of important configuration things like roles configuration, discovery, access reviews.

PIM panel walk through

When you open PIM, you will see lots of sections under the left side menu.

PIM overview

There are four main sections:

  • Tasks – this section refers to day to day operational use of PIM like requesting roles, approve requests, reviewing access and requests history. In the Test in LAB section, I will use this section to show how it works from the user’s perspective.
  • Manage –  here, we can do the PIM configuration for three main areas, which are:
    • Azure AD Roles
    • Azure resources
    • Privileged access groups
  • Activity – I think this is self-explanatory. It’s all about audit history.
  • Troubleshooting + Support – another self-explanatory section.

Role Configuration

To configure the Azure AD role with PIM we need to start from role settings.

In order to do this, open the following link (you can go there from PIM -> Azure AD roles (from Manage section)-> Roles (from Manage section) https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/ResourceMenuBlade/roles/resourceId//resourceType/tenant/provider/aadroles

Role list from PIM

Role settings

Find the role that you want to configure and click on it. In my case, it will be Security Administrator.

Finding a role in PIM – configuration

You will be moved to the new screen where we should start from Role Settings configuration – placed under the left side menu.

Configuring Role

On the new screen, review role settings, and click Edit on the top menu.

Role settings

On the Activation tab, you will be able to configure the following settings:

Activation maximum duration – For the highest directory roles, I’m not recommending using default settings. My proposition is to use one or a maximum of 2 hours duration. If someone requires a GA role for more, most probably he’s not doing it in the right way

Require MFA on activation – yes, we need to require that to make sure that credentials were not compromised.

Require justification on activation – Yes, always require justification.

Require ticket information on activation If you have a ticketing system you can use, it will give you two fields – 1. ticket number, 2. ticketing system link.

Require Approval to activate – for high privileges roles, it is recommended, there is no option for self-approval.

Who should be the approver? – good practice is to put there employees who are having the same role. If we are having 4 GAs, they will be able to approve it for each of them.

Role activation configuration

On the Assignment tab, we need to decide how long there will be eligible assignment using the settings described below:

Allow permanent eligible assignment – unmark that and chose six months. It will require reassigning users for eligible assignment.

Allow permanent active assignment – leave it as it is in case if you have break-glass account configured within your environment.

Require MFA – yes 🙂

Require justification – yes 🙂

Role assignment configuration

The last tab to configure is Notification. Here you can review who will receive emails (spam :)) and add additional distribution groups, emails that should be included in the notifications.

Role notification configuration

When you configure everything, click the Update button.

Role Assignments

Role settings configuration is done, so now it is time to decide who can request this role.

We are going to do this using the Assignments section from the left side menu.

Role assignments configuration

Then click Add assignments on the top menu.

A new screen will open, and there click on the No member selected link to open Select a member window where you can choose which user should be able to request this role.

Selecting a member for a role

On the Setting tab, decide about the assignment. My recommendation is to use the Eligible option and leave duration with default settings (taken from the role settings – six months)

Final assignment configuration

When done, click Assign to add the first user to the role configuration

At the end, you should see a screen similar to this.

PIM Azure AD Role assignment summary

That is all from the configuration perspective. If you want to check how the role description and permissions looks go to the Description section

PIM Azure AD Role description

Role assignments review

As always, Microsoft provides us the ability to review who is assigned to which role.

You can check it by going into the following link https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/ResourceMenuBlade/members/resourceId//resourceType/tenant/provider/aadroles

PIM Azure AD assignments summary

Role Alerts

If you will by mistake or by purpose, click on the Alerts option placed under the Manage section on the left side menu, you will see recommendations for your tenant regarding PIM usage.

You should take a look here once a month to make sure that all recommendations are resolved.

PIM Azure AD Roles Alerts

Role Discovery and Insights

This is a preview feature from the PIM solution.

Discovery and insights allow to have in one place actual situation with:

  • Permanent GA assignments
  • High privileged roles assignment
  • Service principals with privileged roles assignments

To use discovery and insights feature, you need to choose Azure AD roles from the Manage section.

PIM overview

In order to review assignments using Discovery and insights feature from the left side, menu click on Discovery and insights that are placed under the Manage section.

Interesting things are under Discovered assignment in TENANTNAME (in my case Internal LAB)

PIM  Discovery and insights

When you click on the Reduce global administrators, link you will see who has that role at this moment and decide who can be onboarded to PIM, removed from this role, and even create access reviews.

Global Administrator role summary

You can see that in my test environment, I have a couple of permanent assigned GAs. Believe me. It is not configured that way all the time just for the purpose of this article – security first!

Let’s go back to the previous screen. If you chose to click on the Eliminate standing access, you would be moved to a screen where you can review assignments to other privileged directory roles. Of course, you will be able to create access reviews by clicking one button.

High Privileged roles summary

And here you can see that there is a group configured for a highly privileged role (using Privileged access groups).

Role Access Reviews

If you decide to create access reviews in the section above, you will see them in the Access Reviews section placed under the Manage section.

PIM Azure AD Roles Access Reviews

So for the quick recap – the discovery and insights feature allows you to check if there are any permanent assignments for your accounts and service principals.

PIM for Azure Resources

As for Azure AD roles, you can use PIM to be in charge of Azure resources roles assignment.

The whole process (assignments, alerts, access reviews, Role configuration) looks the same as for the Azure AD Roles usage.
There is only one difference where you need to discover Azure resources.

Unfortunately, I did that in my lab so,I cannot provide screenshots for now – but I will figure out something in one week 🙂

Test in LAB

We have configured some settings for PIM let’s try it in a field.

I will use two accoutns:

  • Adele – an employee who will request Security Administrator Role and Network Contributor role for Azure resources,
  • Administrator – an employee who will decide to accept or reject requests.

Adele’s assigned roles before PIM use.

Assigned roles to user.

Requesting Roles

It doesn’t matter if you are configuring PIM or want to request a role. Always you should use the Azure portal https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart/defaultMenuId/quickStart

I’m logging to the portal with Adele credentials.

To request roles you should use My roles available under the Tasks section

PIM user experience

Under the Activate section you can chose from one of three types of assignements:

  • Azure AD Roles
  • Privileged access groups
  • Azure resources

Azure AD Roles

Review what roles are eligible and decide which to request. I will request Security Administrator role by clicking Activate on the Action column

Activating role via PIM

On Activate – Security Administrator window fill the required fields and click Activate

Activating role via PIM

After clicking Activate my request goes to the approver.

Role pending approval.

In the same time, approver received that email:

PIM email notification

After clicking the link from the email message, the approver can review the requests list and decide either to approve or deny.

Approving request
Approving request

Right after approving the request 2 more email notifications were sent.

Role activation notification

Cool thing isn’t it? We can receive emails who, when requested specific role and even who approved it!

When the request was approved Adele was asked to accept the MFA request and right after that, we can see that the Security Administrator role was assigned to her account.

Assigned roles for a user

Starting from now Adele can perform all tasks related to the Security Administrator role.

Azure resources roles

Requesting resource roles has the same workflow like for the Azure AD roles.

The only one thing is that it will be visible from the Resource Group perspective.

Images below depicted the process in a nutshell

Subscription RBAC before PIM request
Requesting resource role
Choosing assignment scope
Active assignment

I’m wondering if you noticed one cool thing – you can choose where resource role will be applied – resource groups, resources. It gives you awesome granularity

I’d like to thank you that you managed to read it till the end.

As always if you will have any questions feel free to comment this article or via LinkedIn.

Author

Related Posts

Comments are closed.