Our last blog post of the Identity Governance series will grant elevated privileges to a user account within Azure (AD). This will be done by the so-called Azure AD Privileged Identity Management feature. Since we all know that security is a hot topic these days, we want to ensure that only the necessary rights for a workload-specific Administrator are configured. Azure AD Privileged Identity Management (also known as PIM) helps us manage, monitor, and audit access to sensitive Azure (AD) resources.
Azure AD Privileged Identity Management offers functionality that keeps you in control of the activation of elevated permissions. You can, for example, configure an activation time for how long the elevated permissions are activated and an approval process that requires one of the approvers to come into action before the elevated role gets activated. Then, the approver can approve or deny the request. Finally, the user will get permission for the requested rights and requested activation time when approved.
- Azure AD Premium P2 license.
(You can also activate a 30-day Free trial for testing this feature)
- Privileged Role Administrator role.
- Additional (recommended): Security- or Microsoft 365 group where the administrative roles apply on.*
- Additional: Privileged Access groups (preview at the time of writing) and will be discussed in my next blog post.
* You can also assign Azure AD roles to an individual user account
- Provides just-in-time (JIT) access – activates the role only when necessary.
- Just enough administration – configure only the necessary rights for an Administrator.
- Configure an activation approval process.
- Get notified once someone activates an administrative role.
- Periodic access reviews for selected or all (PIM configured) administrative roles.
- Insight of the activation/use of administrative roles.
- Eliminates (the well known) permanent membership.
- Enforcement of Multi-factor authentication upon activation.
- Stay in control by access the audit logs.
- Possibility to assign administrative roles to an Azure AD Security- or Microsoft 365 group.
In the below demonstration, we will provide elevated permissions to a security group that allows the group members to activate the SharePoint administrator role.
Creating a security group
- Browse to the Azure Portal > Click on Azure Active Directory > Groups > New Group > Create a Security Group make sure you will check the box that says Azure AD roles can be assigned to the group. With this setting, we ensure that we can assign the Azure AD role to this group. When this setting is set to “No,” you won’t be able to assign the permissions to this Security group. This setting can’t be changed afterwards.
Accessing the Privileged Identity Management feature
- Now browse to the Privileged Identity Management section, which can be found in the Azure Portal > Search on the top bar for Azure AD Privileged Identity Management and click on it.
- Now that we have opened the default PIM page click on Azure AD roles under the section Manage.
- On the Azure AD roles page, choose the Assignment option under the Manage section.
Assigning the Azure AD roles to the security group
- We have two options when we want to assign a role to a security group, Eligible assignments, and Active assignments. The difference between these are:
Eligible assignment (preferred): The user needs to activate the elevated role and will be assigned the role once activated.
Active assignment: The user is assigned a permanent elevated role and does not need to request access to get the role activated.
The reason why we would prefer the Eligible role over the permanent is simply because of security regulations. Permanent roles shouldn’t be assigned to accounts at all time. Only when necessary for i.e. a Break-the-Glass account or Service Principal.
- Now click on Add assignment (under the Eligible assignment section). We will now assign the SharePoint Administrator role to the earlier created security group.
- Now click on Next to review the settings for this PIM group. We have the option to configure elevated permissions for a group for a specific period. This can be helpful when you hire a company that works on a project and has an end date. In my case, we will configure permanent eligible rights. Which simply means that the permissions can be requested for an indefinitely time of period.
- Now finish the configuration by clicking on Assign.
When a member of the SG-UG-SharePointAdmin group signs in the Azure Portal and opens the Privileged Identity management section. The configured role will be visible and can be activated. The user needs to click on the Activate button to activate the role.
Since I have modified the settings of the Azure AD role and require Azure MFA upon activation, the user can’t activate the SharePoint Administrator role without an Azure MFA challenge. In this case, I haven’t configured Azure MFA yet. That is the reason why it asks for Additional verification. After filling in the reason, you can directly activate the role when you haven’t set this as a requirement.
Configure additional settings for a Azure AD role upon activation
Since every company has its needs and wishes regarding activation, we can configure additional PIM settings per Azure AD role. Some examples of settings that you can change or activate:
- Maximum activation duration (in hours).
- Require justification on activation.
- On activaiton, require Azure MFA.
- Send notifications when members are assigned eligible or permanent to this role.
To configure these settings, we need to browse to the Privileged Identity Management section, click on Azure AD roles under the Manage section, and click on Settings under the Manage section. Here you can select the Azure AD role to customize the settings upon PIM activation.
To help the organization stay in control, we can configure access reviews. This allows us to review the current permissions per Azure AD role periodically. To configure these settings, browse to the Privileged Identity Management section, click on Azure AD roles under the Manage section, and click on Access reviews under the Manage section, creating a New access review.
Some settings that we can configure:
- The scope of the access review (all users and groups or Service Principals only) .
- The frequency.
- The roles and assignment types.
- The users that should review (can be individual(s) or the users self)
- What to do when a reviewer does not respond.
Now when you click on Start review, it will take you to the PIM section to review the role membership. You can either approve or deny the access.
I hope this series regarding Identity Governance within Azure AD has given you inspiring and usable insights. The main goal of writing blog series like these is to protect and, of course, inform organizations and admins of the possibilities and, not less important, to make you aware of the powerful tools that Microsoft offers us to protect ourselves against, i.e., privilege escalation.