Important! Let me first state that at the time of writing, Privileged access groups are in preview.
Before starting with the Privileged access group functionality, don’t forget to read my previous blog about Privileged Identity Management. Also, keep in mind that this preview feature only works with Azure AD role-assigned groups.
With the newly created preview feature called Privileged access groups, we can enforce just-in-time access for owners and members of the Privileged access group. For example, we can link one Privileged access group to multiple Azure AD roles; this allows us to activate multiple roles with just a single activation. Furthermore, we can also configure different activation settings per Privileged access group.
Requirements:
- A user with Global Administrator, Privileged Role Administrator, or the group Owner role.
- Every user who is eligible for membership in or ownership of a privileged access group must have an Azure AD Premium P2 license.
Privileged access groups in action
- Let’s start by enabling Privileged access for the Security Group. This can be done by browsing to the Security Group, where the Azure AD roles are assigned. And click on Privileged access (preview) under the Activity settings.
In my example, this would be a group called SG-UG-SharePointAdmin.
- You will receive a message when you onboarded the selected group successfully for management.
- Now click on Add assignment and select the role you want to assign to the user or group.
- Now we set the assignment type; we can make Christie Eligible or Active for this role. In my case, I will make her Eligible. She is Eligible to manage this group for one year. And next is to Assign this configuration to the Privileged access group by clicking on Assign.
Eligible assignment (preferred): The user needs to activate the elevated role and be assigned the role once started.
Active assignment: The user is assigned a permanent elevated role and does not need access to activate the role.
We prefer the Eligible role over the permanent is simply because of security regulations.
Experiencing Privileged Access Groups as an Owner
- Login on the Azure Portal as the user you have assigned the “Owner” permissions; in my case, this would be Christie Cline. Search at the top bar for Privileged Identity Management.
- Now select Privileged access groups (preview) under the Manage section.
- In the next screen, we will see the Eligible, Active, and Expired assignments of groups whereby we are assigned a role (this could be a Member role or Owner role)
Now when we click on “Activate,” we will be assigned the Owner role of this group and can manage the members of this group. Besides this, the user will also have the Azure AD role activated. When you have changed the activation settings, you will also be asked for an additional MFA challenge, an activation reason, and or activation time based on the activation settings.
Configure additional activation settings:
- We can configure additional activation settings. To do this, head to the specific Security Group in the Azure Portal and head to the Privileged access (preview) section.
- Now click on Settings to configure additional activation settings that kick in upon the activation of the Azure AD role.
References:
Management capabilities for Privileged Access groups (preview) (Microsoft docs):
Configure Azure AD access reviews for groups: