Digitization has changed the way of working and living. Your most of the personal and professional things have been become public and to keep all this data secure Identity plays an important role. Organizations has been disrupted as well and cloud has changed the way of doing things. In cloud, you can’t have only dedicated administrators like on-premises because of agility. At the same time privileged access can’t be given to everyone. As cloud services work in distributed environment therefore it becomes necessary to manage and monitor these access controls granularly.
To overcome these challenges, Azure Active Directory Privileged Identity Management is a next step for access control management in Microsoft cloud services. It is available to your entire organization and need Azure AD Premium P2 license for administrators. It allows you to manage, control and monitor access within your organization for Azure AD, Azure resources (Preview), Office 365, Intune and other Microsoft online services.
With the help of this feature you can assign different privileged roles to your users either permanently or on-demand “just in time” basis. It also allows you to monitor and review the users who have been enabled for privileged roles and users need to provide justification for continued membership based on your configuration.
Let see how to do it. Login to the Azure AD portal https://aad.portal.azure.com
Access Azure AD Privileged Identity Management from More services.
Select Azure AD directory roles under Manage.
You need MFA to configure PIM. If you are enabled for MFA, click on verify my identity. It will redirect to you to configure MFA.
Once MFA has been configured successfully, you can see the status as below. Now click on Sign up.
In sign up window, select yes to sign up for Privileged Identity Mangement.
Once, configuration and discovery completes you can verify your roles.
To verify all the users who have PIM roles assigned or to add any other user to manage PIM, select Roles under Manage.
By default, only subscription owner will have privileged administrator role. If you would like to provide privileged management role to global administrator or any other administrator then you must assign this role manually. Until, you provide privileged administrator role to any other administrator or user; he/she will not be able to manage any other users or their roles.
To assign privileged administrator role, login with subscription admin identity and go to the Azure AD directory roles and click on +Add user.
Now, Select “Privileged Role Administrator”
Select your global administrator or any other administrator, who should be responsible for Privileged Identity Management.
Once, it is assigned. You can see that user has “Privileged Role Administrator” enabled in Eligible mode.
If the user logins and go to the users under Azure AD directory roles, he can observe that he can activate the assigned role for the time being. By default, the access will be given for an hour. Click on highlighted message to activate the role
Before, activating the role you must verify your identity through MFA. Click on the highlighted sections to verify your identity.
Now, your identity will be verified through MFA. (Note: MFA should be configured otherwise you will be asked for setting up the MFA first for this user)
Once, Identity will be verified the you get an option to Activate it. (Note: if you don’t reach to this option by default then retry one more time with verifying my identity then by default you will reach on this prompt.) Click on Activate to enable the privilegess.
Once, you click on activate. You have to provide the reason for activation and then click on OK.
Once activated, you can use the privileges. By default, this role will be activated for an hour.
If you like to provide this role permanently to this user then go back to your existing privilege administrator or subscription administrator and click on “Privileged Role Administrator”.
Now, click on more and select “Make perm” to make this role permanent for this user.
Now, you can see that this role has been assigned permanently to this user.
Once, this user will login with his Identity then he will observer that he has been enabled permanently and there is no need to activate this role for short period of time.