Privileged Identity Management in Azure AD and Microsoft 365
The management of user accounts in Azure AD naturally plays a role above all with regard to the protection of privileged accounts. These are primarily the user accounts that have more rights in the environment than normal user accounts. Therefore, it is mainly about admin accounts or accounts of support staff and users with far-reaching privileges.
This is why the use of Privileged Identity Management makes sense, and this is what the service costs
Protecting user accounts with elevated privileges is an important factor for more security in cloud services. This also increases the security of various resources in Microsoft 365 and other cloud services. In every environment, there are users who have access to a particularly large number of resources or complete applications.
The question is whether the respective user accounts need these rights permanently or only for certain tasks and at special times. In most cases, the rights are rarely required comprehensively. So it makes sense to restrict these rights for the user accounts when they do not need them. Even if an admin account has been successfully taken over by attackers, in this case the resources are protected because the account cannot execute its privileges.
Protecting admin accounts is the job of Azure AD Privileged Identity Management (PIM). This service protects accounts in Microsoft Azure, Microsoft 365, and also in services such as Microsoft Endpoint Manager.
If attackers can take over accounts in infrastructures with these services, they can usually carry out far-reaching, damaging actions, even into the local data center. PIM also protects cloud services such as Exchange Online, SharePoint Online, and all other services and resources that companies use in Microsoft Azure and Microsoft 365.
To use Azure AD PIM, companies need a license for Azure AD Premium P2. Microsoft shows exactly how the licensing looks on the page “Licensing requirements for using Privileged Identity Management”.
Managing Azure AD Privileged Identity Management
Azure AD PIM is managed in the Azure portal. This is accessed via the URL https://portal.azure.com. Searching for “Azure AD Privileged Identity Management” in the portal opens the management interface for the service, which can be used to control access in Microsoft Azure and Microsoft 365 as well as Microsoft Endpoint Manager.
On the page for managing the service, “Azure AD Roles” shows the various roles and the option of protecting these roles. By clicking on “Roles”, you can see the individual roles that have the right to perform administrative tasks in the environment.
Using Exchange Online as an example, the role “Exchange Administrator” plays an important role here. Users with this role can manage almost all settings in Exchange Online. By clicking on the role, the Azure portal displays the various administration options for this role.
To add user accounts to a role in Azure AD and thus also in Microsoft 365 and Endpoint Manager, it is sufficient to click on “Add assignments” in “Roles”. After that, the desired role can be selected under “Select role”. In “Select members” you can then add the user accounts to the role that are to manage Exchange Online or other resources in the future but are protected by PIM.
Control access times and scenarios
Once the role has been selected and the members added, the next step is to determine what the access type for the role should be. In addition to allowing administrative access, it is also possible at this point to control the times when user accounts should be granted administrative permissions in the first place. Via “Assign”, however, the membership is saved first.
In the role settings, new members can be added and members can be removed at any time. When members are added, they automatically receive an e-mail containing information about the role.
After calling up the role, the members can be seen and it is also possible to make further adjustments with “Settings”. In the upper area of the details, the customization can be started via “Edit”. At this point, for example, it is also possible to define the user account that authorizes administrative access for the users of the role.
In the settings for role administration, it is possible to specify how long access should be allowed if the approving person has allowed access. In addition, it is also possible to specify here that multifactor authentication is always required for access to the rights of the role. However, this technique should generally be used for all user accounts in Azure AD and Microsoft 365 anyway.
The buttons in the lower area can then be used to make further settings, such as whether a user should be given permanent rights or when rights should expire. In the settings, it is also possible to send emails when a user requests and receives the role.
How administrators request the roles
Once the customizations have been made, “Quick Start” in the Azure AD Portal can be used to access the role when managing PIM with “Enable your role”. Here, admins will see the roles they are authorized for and can activate access. When activating, the admin must also enter a reason. Once the admin requests access, the approving user will receive an email where they can enable access.
However, the activation can also be done directly in the Azure portal when managing Azure AD roles. Once access is approved, the admin receives an email that their request has been approved. All processes are also traceable in Microsoft Azure in the monitoring.