In Part I of this blog post, I had explained how to start with Azure AD Privileged Identity Management and assign privileged administrator role to administrators. Azure AD PIM takes the access control and monitoring to next level by providing Just in time administrator access and Access reviews. Just in time administrator access allows you to provide limited time access to perform the necessary action. To enable just in time access, you have to make administrator “eligible” for the specified role. It is a default configuration to make sure any new role assigned to the administrator shouldn’t make permanent administrator for the specified role until enabled intentionally. Once, a new role has been assigned to the administrator then an administrator can activate the new role in two ways either by himself or by approval workflow process. By default, all the administrative roles become available for an hour. This default time can be set between 30 minutes to 72 hours by changing the configuration settings.
Let see how to do it. Login to the Azure AD Portal using subscription administrator identity or by an administrator identity who has been enabled for “Privileged Role Administrator”. I am explaining these features by assigning Password Administrator role to a user to make him Password administrator for the organization.
Go to the Azure AD directory roles under Azure AD Privileged Identity Management.
Go to the Users under Manage and Click on Add.
Select “Password Administrator” role.
Now, select the user who will became a password administrator for the organization and click on OK.
Once, you have assigned this role then ask this user to login. You will observe that he can’t reset the password of any user.
As explained earlier, user will be made “eligible” for the specified role but to perform any action he must activate his role. To activate his role, he should go to “My roles” under Tasks in Azure AD PIM. Now, click on Action as highlighted in the snip.
Now, administrator has to click on “Activate” to activate this role.
Now, user has to provide “reason for role activation”. This reason will be captured in the logs for audit.
Administrator can see that his role has been activated for a specified time period.
Now, administrator should try to reset the password.
Once, task is performed then administrator can disable his role as well.
Now, let see how to change the default configuration settings for the Azure AD directory roles. Go to the settings under Azure AD directory roles and click on “Roles”.
Select the role and review the configuration parameters.
For example, I would like to enable approval process for role activation. Under require approval select “Enable” option and then select approvers.
Once selected, click on save.
Once the role configuration settings have been modified, you will observe that role status has been changed to “Request activation” from “Eligible”. Click on request activation to activate it.
Now, click on activate. Once you click on activate and specifiy the reason, a request will be sent to approver.
Now, approver has to login and go to the “Approve requests” under tasks to approve the request. Select request and click on approve.
Now, specify the reason to approve this request and click on Approve.
Once approved, ask you role administrator to verify it. Role administrator will observer that now he has access for specified time based on the configuration.
If you want to provide dedicate role to any administrator, enable him for specified role access permanently. Look at Part I for more details.