/
Azure AD Privileged Identity Management

Azure AD Privileged Identity Management

Owned by Roger Cruz, created
Last updated: Dec 28, 2021

 

Intro

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization.

Documentation

 

Tips and Tidbits

  • You need a Premium P2 license to use Priviledged Identity Management (PIM)

  • Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization.

  • minimize the number of people who have access to secure information or resources.

  • give users just-in-time privileged access to Azure and Azure AD resources and can oversee what those users are doing with their privileged access.

  • Provide just-in-time (JIT) privileged access to Azure AD and Azure resources

  • Assign time-bound access to resources using start and end dates (can be used to grant temporary access to QA testers who need admin privs)

  • Require approval to activate privileged roles

  • Enforce multi-factor authentication to activate any role

  • Use justification to understand why users activate

  • Get notifications when privileged roles are activated

  • Conduct access reviews to ensure users still need roles

    • can be used for Azure AD roles,  Azure resource roles, or privileged access groups

      • Azure Resource roles can be scoped to different Azure resources

    • You can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to create access reviews for privileged access to Azure resource and Azure AD roles.

    • You can also configure recurring access reviews that occur automatically. 

    • To create access reviews for Azure resources, you must be assigned to the Owner or the User Access Administrator role for the Azure resources.

    • To create access reviews for Azure AD roles, you must be assigned to the Global Administrator or the Privileged Role Administrator role

    • Create an access review of Azure resource and Azure AD roles in PIM

  • Download audit history for internal or external audit

  • Prevents removal of the last active Global Administrator role assignment

  • PIM can be used to identify the admin userswho have not signed-in the past 30 days

 

Multifactor authentication and Privileged Identity Management

 

  • Multifactor authentication and Privileged Identity Management

  • You can require that users (eg administrators) complete a multifactor authentication challenge when they sign in.

    • (but doesn’t use conditional access?)

  • You can also require that users complete a multifactor authentication challenge when they activate a role in Azure Active Directory (Azure AD) Privileged Identity Management (PIM).

    • This way, even if the user didn't complete multifactor authentication when they signed in, they'll be asked to do it by Privileged Identity Management.

 

Right now, Azure AD Multi-Factor Authentication only works with work or school accounts, not Microsoft personal accounts (usually a personal account that's used to sign in to Microsoft services such as Skype, Xbox, or Outlook.com). Because of this, anyone using a personal account can't be an eligible administrator because they can't use multifactor authentication to activate their roles