What is Microsoft’s Privileged Identity Management?
News|by Sam Barnes|2 September 2024
As Grey Matter’s Azure Solution Specialist, I receive a lot of questions from customers concerning their Azure subscriptions and how to make the most of them. But some of the most frequently asked questions I receive surround security and access to an environment.
One of the most common questions I answer is how to grant Just Enough Access to stay compliant with a Zero Trust mindset.
How to grant Just Enough Access
There are many points to consider when it comes to granting Just Enough Access. These include enabling Multi Factor Authentication (MFA), or deploying Conditional Access. However, one of the most likely features you’ll want to use will be Privileged Identity Management (PIM). This feature will help you to escalate privileges for a set period, offering a just-in-time approach.
PIM’s role can be set to passive and enable you to elevate up to it using a strong authentication such as MFA. Or, if the role is set to always active, there is no need to elevate up to it each time. Instead, you would only have access to it for a set period and at a certain scope.
How does Privileged Identity Management work?
As an example of how Privileged Identity Management’s roles work, if a user requires access to a specific subscription to do a project over 3 months, you can set it up so that those permissions have an expiry date. This helps to reduce the attack surface area for any bad actors looking to access your environment.
To add onto the above example, PIM’s audit capability enables admins to review what has been done within the role. To make it that much easier, you can set up PIM roles and assign them to cloud groups and users. This includes options to send a notification of the request to yourself or the user responsible for dealing with requests as well as the ability to require that a reason for the request be entered before it can be accepted.
How to license Privileged Identity Management
First thing’s first, before you get started with any of this, you need to ensure you have the correct licences and permissions to enable Privileged Identity Management.
An Entra P2 licence offers a lot of great features such as PIM, risk-based conditional access, vulnerabilities and risky account detection and authentication context to name a few. The latter works well with PIM, enabling users to check their email and not be required to perform a strong authentication.
Alternatively, you can get the PIM capability and more from the Entra ID governance licence, or by enabling a M365 E5 licence or Microsoft Entra suite licence. If you’d like to discuss licensing further, please get in touch.
Getting started with Privileged Identity Management
The first steps after licensing PIM depend on whether you’re setting it up for Microsoft 365 or Azure. If for Microsoft 365, you need to understand the scope that you’ll be applying it to, for example, to a cloud group or a user. However, if it’s for Azure, you should consider the scope you will be applying PIM to a bit closer.
Do you need PIM at the management group level, subscription level, resource group, or resource level? From the Privileged Identity Management blade in the portal, you can view your roles, including custom roles, and can also view eligible, active and expired roles. From here, you can also access the settings to edit the requirements, including the duration that PIM will be activated, expiry date of assignments and more.
The other helpful way to use Privileged Identity Management is to create a group with specific permissions that are required some of the time, but may not be required 100% of the time. To achieve this, you can give the group the ability to assign AD roles. This will enable you to assign eligible or active users to use PIM and elevate users up to be within that group.
To wrap up, the features discussed in this blog post are essential to ensure that you’re able to grant just enough access and nothing more and verify explicitly the actions your users are taking. If you’d like to discuss or license the tools or features I’ve covered in this blog post, get in touch.
Contact Grey Matter
If you have any questions or want some extra information, complete the form below and one of the team will be in touch ASAP. If you have a specific use case, please let us know and we'll help you find the right solution faster.
By submitting this form you are agreeing to our Privacy Policy and Website Terms of Use.
Related News
Delphi 30 For 30 Webinars 2025
Tue 14 January 2025 - Fri 25 April 2025 6:00 pm - 7:00 pm GMT
Delphi’s celebrating its 30th anniversary this February. An incredible milestone. It’s come a long way since 1995. It’s kept up with the times, from working with AI to compiling apps for any platform out there from one elegant codebase. Celebrating...
Grey Matter Achieves Cyber Essentials and ISO 9001 Certifications
We are pleased to announce that we have achieved our Cyber Essentials and ISO 9001 certifications for another year. We want to do our due diligence as much as possible. And we can’t sell and promote the importance of cyber...
ACCU Conference 2025
1 - 4 April 2025 9:00 am - 4:00 pm GMT
We’re delighted to be a Gold Sponsor of the ACCU Conference 2025 in Bristol. It’s an event in the Southwest, so a little bit closer to home than usual for us. What is ACCU? The ACCU Conference, originally focused on...
Veeam Kasten v7.5: Revolutionising Kubernetes Backup and Recovery
Veeam has announced the release of Kasten v7.5, the latest version of its industry-leading Kubernetes backup and recovery solution. This new release brings significant advancements in scale, performance, security, and ecosystem coverage, empowering your organisation with brilliant resilience for your...