What is Microsoft’s Privileged Identity Management?
News|by Sam Barnes|2 September 2024
As Grey Matter’s Azure Solution Specialist, I receive a lot of questions from customers concerning their Azure subscriptions and how to make the most of them. But some of the most frequently asked questions I receive surround security and access to an environment.
One of the most common questions I answer is how to grant Just Enough Access to stay compliant with a Zero Trust mindset.
How to grant Just Enough Access
There are many points to consider when it comes to granting Just Enough Access. These include enabling Multi Factor Authentication (MFA), or deploying Conditional Access. However, one of the most likely features you’ll want to use will be Privileged Identity Management (PIM). This feature will help you to escalate privileges for a set period, offering a just-in-time approach.
PIM’s role can be set to passive and enable you to elevate up to it using a strong authentication such as MFA. Or, if the role is set to always active, there is no need to elevate up to it each time. Instead, you would only have access to it for a set period and at a certain scope.
How does Privileged Identity Management work?
As an example of how Privileged Identity Management’s roles work, if a user requires access to a specific subscription to do a project over 3 months, you can set it up so that those permissions have an expiry date. This helps to reduce the attack surface area for any bad actors looking to access your environment.
To add onto the above example, PIM’s audit capability enables admins to review what has been done within the role. To make it that much easier, you can set up PIM roles and assign them to cloud groups and users. This includes options to send a notification of the request to yourself or the user responsible for dealing with requests as well as the ability to require that a reason for the request be entered before it can be accepted.
How to license Privileged Identity Management
First thing’s first, before you get started with any of this, you need to ensure you have the correct licences and permissions to enable Privileged Identity Management.
An Entra P2 licence offers a lot of great features such as PIM, risk-based conditional access, vulnerabilities and risky account detection and authentication context to name a few. The latter works well with PIM, enabling users to check their email and not be required to perform a strong authentication.
Alternatively, you can get the PIM capability and more from the Entra ID governance licence, or by enabling a M365 E5 licence or Microsoft Entra suite licence. If you’d like to discuss licensing further, please get in touch.
Getting started with Privileged Identity Management
The first steps after licensing PIM depend on whether you’re setting it up for Microsoft 365 or Azure. If for Microsoft 365, you need to understand the scope that you’ll be applying it to, for example, to a cloud group or a user. However, if it’s for Azure, you should consider the scope you will be applying PIM to a bit closer.
Do you need PIM at the management group level, subscription level, resource group, or resource level? From the Privileged Identity Management blade in the portal, you can view your roles, including custom roles, and can also view eligible, active and expired roles. From here, you can also access the settings to edit the requirements, including the duration that PIM will be activated, expiry date of assignments and more.
The other helpful way to use Privileged Identity Management is to create a group with specific permissions that are required some of the time, but may not be required 100% of the time. To achieve this, you can give the group the ability to assign AD roles. This will enable you to assign eligible or active users to use PIM and elevate users up to be within that group.
To wrap up, the features discussed in this blog post are essential to ensure that you’re able to grant just enough access and nothing more and verify explicitly the actions your users are taking. If you’d like to discuss or license the tools or features I’ve covered in this blog post, get in touch.
Contact Grey Matter
If you have any questions or want some extra information, complete the form below and one of the team will be in touch ASAP. If you have a specific use case, please let us know and we'll help you find the right solution faster.
By submitting this form you are agreeing to our Privacy Policy and Website Terms of Use.
Related News
Organisations more vulnerable to cyberattacks over weekends and holidays
Cyber attackers don’t take breaks As the summer holiday season is here, cybercriminals are gearing up for a ransomware spree. Did you know that during weekends and holidays, companies are most likely to be targeted? In a recent report by...
Delphi in action: Real-world use cases across industries in 2025
Delphi use cases Developers are like you are no doubt encouraged to create applications for different platforms much more quickly with a comprehensive set of features that users need and love. But this can be a complex task to complete....
What’s new in InstallShield 2025
InstallShield 2025 R1 has arrived, and it brings a host of enhancements that streamline your software deployment, improve accessibility, and offer greater flexibility for modern development environments. Whether you’re a seasoned installer engineer or just getting started with software packaging,...
Navigating the UK Cyber Security and Resilience Bill and CAF
Cyber Security and Resilience Bill – Helping you be more resilient against cyber threats In 2024, the King and the government announced a new security act – the UK Cyber Security and Resilience Bill (CSRB). This bill affects many industries...