What is Microsoft’s Privileged Identity Management?
News|by Sam Barnes|2 September 2024
As Grey Matter’s Azure Solution Specialist, I receive a lot of questions from customers concerning their Azure subscriptions and how to make the most of them. But some of the most frequently asked questions I receive surround security and access to an environment.
One of the most common questions I answer is how to grant Just Enough Access to stay compliant with a Zero Trust mindset.
How to grant Just Enough Access
There are many points to consider when it comes to granting Just Enough Access. These include enabling Multi Factor Authentication (MFA), or deploying Conditional Access. However, one of the most likely features you’ll want to use will be Privileged Identity Management (PIM). This feature will help you to escalate privileges for a set period, offering a just-in-time approach.
PIM’s role can be set to passive and enable you to elevate up to it using a strong authentication such as MFA. Or, if the role is set to always active, there is no need to elevate up to it each time. Instead, you would only have access to it for a set period and at a certain scope.
How does Privileged Identity Management work?
As an example of how Privileged Identity Management’s roles work, if a user requires access to a specific subscription to do a project over 3 months, you can set it up so that those permissions have an expiry date. This helps to reduce the attack surface area for any bad actors looking to access your environment.
To add onto the above example, PIM’s audit capability enables admins to review what has been done within the role. To make it that much easier, you can set up PIM roles and assign them to cloud groups and users. This includes options to send a notification of the request to yourself or the user responsible for dealing with requests as well as the ability to require that a reason for the request be entered before it can be accepted.
How to license Privileged Identity Management
First thing’s first, before you get started with any of this, you need to ensure you have the correct licences and permissions to enable Privileged Identity Management.
An Entra P2 licence offers a lot of great features such as PIM, risk-based conditional access, vulnerabilities and risky account detection and authentication context to name a few. The latter works well with PIM, enabling users to check their email and not be required to perform a strong authentication.
Alternatively, you can get the PIM capability and more from the Entra ID governance licence, or by enabling a M365 E5 licence or Microsoft Entra suite licence. If you’d like to discuss licensing further, please get in touch.
Getting started with Privileged Identity Management
The first steps after licensing PIM depend on whether you’re setting it up for Microsoft 365 or Azure. If for Microsoft 365, you need to understand the scope that you’ll be applying it to, for example, to a cloud group or a user. However, if it’s for Azure, you should consider the scope you will be applying PIM to a bit closer.
Do you need PIM at the management group level, subscription level, resource group, or resource level? From the Privileged Identity Management blade in the portal, you can view your roles, including custom roles, and can also view eligible, active and expired roles. From here, you can also access the settings to edit the requirements, including the duration that PIM will be activated, expiry date of assignments and more.
The other helpful way to use Privileged Identity Management is to create a group with specific permissions that are required some of the time, but may not be required 100% of the time. To achieve this, you can give the group the ability to assign AD roles. This will enable you to assign eligible or active users to use PIM and elevate users up to be within that group.
To wrap up, the features discussed in this blog post are essential to ensure that you’re able to grant just enough access and nothing more and verify explicitly the actions your users are taking. If you’d like to discuss or license the tools or features I’ve covered in this blog post, get in touch.
Contact Grey Matter
If you have any questions or want some extra information, complete the form below and one of the team will be in touch ASAP. If you have a specific use case, please let us know and we'll help you find the right solution faster.
By submitting this form you are agreeing to our Privacy Policy and Website Terms of Use.
Related News
JavaScript Day 2024
Thu 24 October 2024 2:00 pm - 6:00 pm GMT
Are you ready to dive deep into the world of JavaScript and TypeScript? Mark your calendars for 24 October 2024 because JetBrains JavaScript Day 2024 is back for its fourth year, and it’s going to be bigger and better than...
JetBrains GameDev Days 2024
9 - 10 October 2024
A Must-Attend Event for Game Developers Are you passionate about game development? Then attend JetBrains GameDev Days 2024, a free, live virtual event dedicated to all things game development. This hybrid event will take place on 9-10 October 2024 and...
.NET Days Online 2024
25 - 26 September 2024 10:30 am - 5:45 pm BST
.NET Developer Event Hosted by JetBrains Mark your calendars for 25-26 September 2024, as JetBrains hosts the highly anticipated .NET Days Online 2024. This free, two-day virtual event promises to be a treasure trove of knowledge and networking for .NET...
SPECIAL OFFER: 20% Off Embarcadero
Embarcadero offer To celebrate the upcoming 12.2 version update, Embarcadero is offering 20% off RAD Studio, Delphi and C++Builder. After the release, if you are on Update Subscription, your licence will be automatically updated to 12.2. Terms and conditions: This...