What is Microsoft’s Privileged Identity Management?

As Grey Matter’s Azure Solution Specialist, I receive a lot of questions from customers concerning their Azure subscriptions and how to make the most of them. But some of the most frequently asked questions I receive surround security and access to an environment. 

One of the most common questions I answer is how to grant Just Enough Access to stay compliant with a Zero Trust mindset. 

How to grant Just Enough Access 

There are many points to consider when it comes to granting Just Enough Access. These include enabling Multi Factor Authentication (MFA), or deploying Conditional Access. However, one of the most likely features you’ll want to use will be Privileged Identity Management (PIM). This feature will help you to escalate privileges for a set period, offering a just-in-time approach. 

PIM’s role can be set to passive and enable you to elevate up to it using a strong authentication such as MFA. Or, if the role is set to always active, there is no need to elevate up to it each time. Instead, you would only have access to it for a set period and at a certain scope. 

How does Privileged Identity Management work? 

As an example of how Privileged Identity Management’s roles work, if a user requires access to a specific subscription to do a project over 3 months, you can set it up so that those permissions have an expiry date. This helps to reduce the attack surface area for any bad actors looking to access your environment. 

To add onto the above example, PIM’s audit capability enables admins to review what has been done within the role. To make it that much easier, you can set up PIM roles and assign them to cloud groups and users. This includes options to send a notification of the request to yourself or the user responsible for dealing with requests as well as the ability to require that a reason for the request be entered before it can be accepted. 

How to license Privileged Identity Management 

First thing’s first, before you get started with any of this, you need to ensure you have the correct licences and permissions to enable Privileged Identity Management. 

An Entra P2 licence offers a lot of great features such as PIM, risk-based conditional access, vulnerabilities and risky account detection and authentication context to name a few. The latter works well with PIM, enabling users to check their email and not be required to perform a strong authentication. 

Alternatively, you can get the PIM capability and more from the Entra ID governance licence, or by enabling a M365 E5 licence or Microsoft Entra suite licence. If you’d like to discuss licensing further, please get in touch. 

Getting started with Privileged Identity Management 

The first steps after licensing PIM depend on whether you’re setting it up for Microsoft 365 or Azure. If for Microsoft 365, you need to understand the scope that you’ll be applying it to, for example, to a cloud group or a user. However, if it’s for Azure, you should consider the scope you will be applying PIM to a bit closer. 

Do you need PIM at the management group level, subscription level, resource group, or resource level? From the Privileged Identity Management blade in the portal, you can view your roles, including custom roles, and can also view eligible, active and expired roles. From here, you can also access the settings to edit the requirements, including the duration that PIM will be activated, expiry date of assignments and more. 

The other helpful way to use Privileged Identity Management is to create a group with specific permissions that are required some of the time, but may not be required 100% of the time. To achieve this, you can give the group the ability to assign AD roles. This will enable you to assign eligible or active users to use PIM and elevate users up to be within that group. 

To wrap up, the features discussed in this blog post are essential to ensure that you’re able to grant just enough access and nothing more and verify explicitly the actions your users are taking. If you’d like to discuss or license the tools or features I’ve covered in this blog post, get in touch.