Tag Archives: Azure AD Privileged Identity Management

#Azure AD : All about Azure Active Directory

IT has moved from Datacenter Era to the Cloud Era. Focus of the organizations have been changed from one specific set of vendors to the open world of technology. Since Datacenter came in inception, Identity has played a vital role and always been used to treat as a backbone of IT. Now in the new era of multi-cloud environment, Identity is playing a centric role that itself is a new beginning of Identity that has been extended from IT backbone to user-experience oriented.

Microsoft had played a key role in datacenter era by Windows Server Active Directory and now again playing a crucial role in multi-cloud environment by offering Azure Active Directory. Microsoft Azure Active Directory in not only a directory service but it is a complete cloud service that can fulfill all your identity and authorization needs. However, you may find there are couple of things related to identity that can’t be fulfilled by native AAD features but it is continuously evolving.

In this era, organizations don’t need SME for everything but they need design SME who has board understanding of complete end-to end solution stack starting from infrastructure technologies to application technologies.

I have written a series of blog posts on Microsoft Azure AD and these posts mainly focus on how to do it or you can say step-by-step guides backed by real-time scenarios.

Microsoft Azure Active Directory

Azure AD Connect

SSO to SaaS

Application Proxy

Multi-factor Authentication

Self-service Password Management

Self-service group management

Access Panel/My Apps

Dynamic groups membership

Pricing, Licensing and Support

Conditional Access

Custom domain names

Company branding

Cloud App Discovery

Group-based licensing

Identity Protection Part I

Identity Protection Part II

Identity Protection Part III

Privileged Identity Management Part I

Privileged Identity Management Part II

Privileged Identity Management Part III

Azure Active Directory Domain Services Part I

Azure Active Directory Domain Services Part II

Azure Active Directory Domain Services Part III

Azure Active Directory Domain Services Part IV

Device Management – Azure AD Registering

Device Management – Azure AD Join

B2B Collaboration

B2B Licensing


Error – SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration.

Above series of blog posts have covered most of the areas of Azure Active Directory. You can bookmark this blog post for any Azure AD need, I’ll try my level best to add new Azure AD related posts in this series.


#AzureAD : Privileged Identity Management Part III

Part I and Part II of this blog posts cover how to start with Azure AD Privileged Identity Management, assign privileged administrator role to administrators, just in time access, different methods to assign just in time access and Azure AD directory role customization. This post covers Access reviews, directory roles audit history and my audit history.

Azure AD PIM Access reviews provide control to administrators to review their access roles or other administrator’s roles based on configuration. To implement access reviews, login to Azure AD portal and go to the Azure AD Privileged Identity management.

Go to the Access reviews under Azure AD directory roles. Select Add to create a new access reviews.

Fill the details based on your requirements.

In review role membership, select a role that you wish to review. In one access review, you can have only role for review. Therefore, you need to create a unique access review for each role used by your organization.

In reviewers section, select who is going to review this role either administrator himself (Members (self)) or someone else (selected users). In my case, I am selecting Members (self). Once configured everything based on requirements, select start.

Once created successfully, privilege administrators can see it on access reviews under manage while the users in case of Members (self) can see it in their review access panel under tasks.

As a privileged administrator you can stop or delete this access review and change the configuration.

As per my configuration of access reviews, password administrator has to review his access and provide the approval. User needs to login with his identity and go to the review access section under tasks.

Once you open the Access review, you can see that your identity exist in not reviewed section.

Select the user, provide the reason for approval and finally click on approve.

Once reviewed, remaining items will become 0.

Now, let see how privileged administrator can review the activity of directory roles by looking at “Directory roles audit history” under Activity in Azure AD directory roles.

Privileged administrator can scroll the page and review all the actions performed for Azure AD directory roles.

Privileged role administrators and other directory role administrators can review their tasks by going through “My audit history” under Activity in Azure AD Privileged identity Management.

Privileged role administrator can also look at the alerts section under Manage for risks and associated severity for proactive safeguards.

I have covered most of the topics related to PIM. However, you can explore more topics such as Azure resources (preview) under Manage.

I hope this series on Azure AD Privileged Identity Management helped you

#AzureAD : Privileged Identity Management Part II

In Part I of this blog post, I had explained how to start with Azure AD Privileged Identity Management and assign privileged administrator role to administrators. Azure AD PIM takes the access control and monitoring to next level by providing Just in time administrator access and Access reviews. Just in time administrator access allows you to provide limited time access to perform the necessary action. To enable just in time access, you have to make administrator “eligible” for the specified role. It is a default configuration to make sure any new role assigned to the administrator shouldn’t make permanent administrator for the specified role until enabled intentionally. Once, a new role has been assigned to the administrator then an administrator can activate the new role in two ways either by himself or by approval workflow process. By default, all the administrative roles become available for an hour. This default time can be set between 30 minutes to 72 hours by changing the configuration settings.

Let see how to do it. Login to the Azure AD Portal using subscription administrator identity or by an administrator identity who has been enabled for “Privileged Role Administrator”. I am explaining these features by assigning Password Administrator role to a user to make him Password administrator for the organization.

Go to the Azure AD directory roles under Azure AD Privileged Identity Management.

Go to the Users under Manage and Click on Add.

Select “Password Administrator” role.

Now, select the user who will became a password administrator for the organization and click on OK.

Once, you have assigned this role then ask this user to login. You will observe that he can’t reset the password of any user.

As explained earlier, user will be made “eligible” for the specified role but to perform any action he must activate his role. To activate his role, he should go to “My roles” under Tasks in Azure AD PIM. Now, click on Action as highlighted in the snip.

Now, administrator has to click on “Activate” to activate this role.

Now, user has to provide “reason for role activation”. This reason will be captured in the logs for audit.

Administrator can see that his role has been activated for a specified time period.

Now, administrator should try to reset the password.

Once, task is performed then administrator can disable his role as well.

Now, let see how to change the default configuration settings for the Azure AD directory roles. Go to the settings under Azure AD directory roles and click on “Roles”.

Select the role and review the configuration parameters.

For example, I would like to enable approval process for role activation. Under require approval select “Enable” option and then select approvers.

Once selected, click on save.

Once the role configuration settings have been modified, you will observe that role status has been changed to “Request activation” from “Eligible”. Click on request activation to activate it.

Now, click on activate. Once you click on activate and specifiy the reason, a request will be sent to approver.

Now, approver has to login and go to the “Approve requests” under tasks to approve the request. Select request and click on approve.

Now, specify the reason to approve this request and click on Approve.

Once approved, ask you role administrator to verify it. Role administrator will observer that now he has access for specified time based on the configuration.

If you want to provide dedicate role to any administrator, enable him for specified role access permanently. Look at Part I for more details.

#AzureAD : Privileged Identity Management Part I

Digitization has changed the way of working and living. Your most of the personal and professional things have been become public and to keep all this data secure Identity plays an important role. Organizations has been disrupted as well and cloud has changed the way of doing things. In cloud, you can’t have only dedicated administrators like on-premises because of agility. At the same time privileged access can’t be given to everyone. As cloud services work in distributed environment therefore it becomes necessary to manage and monitor these access controls granularly.

To overcome these challenges, Azure Active Directory Privileged Identity Management is a next step for access control management in Microsoft cloud services. It is available to your entire organization and need Azure AD Premium P2 license for administrators. It allows you to manage, control and monitor access within your organization for Azure AD, Azure resources (Preview), Office 365, Intune and other Microsoft online services.

With the help of this feature you can assign different privileged roles to your users either permanently or on-demand “just in time” basis. It also allows you to monitor and review the users who have been enabled for privileged roles and users need to provide justification for continued membership based on your configuration.

Let see how to do it. Login to the Azure AD portal https://aad.portal.azure.com

Access Azure AD Privileged Identity Management from More services.

Select Azure AD directory roles under Manage.

You need MFA to configure PIM. If you are enabled for MFA, click on verify my identity. It will redirect to you to configure MFA.

Once MFA has been configured successfully, you can see the status as below. Now click on Sign up.

In sign up window, select yes to sign up for Privileged Identity Mangement.

Once, configuration and discovery completes you can verify your roles.

To verify all the users who have PIM roles assigned or to add any other user to manage PIM, select Roles under Manage.

By default, only subscription owner will have privileged administrator role. If you would like to provide privileged management role to global administrator or any other administrator then you must assign this role manually. Until, you provide privileged administrator role to any other administrator or user; he/she will not be able to manage any other users or their roles.

To assign privileged administrator role, login with subscription admin identity and go to the Azure AD directory roles and click on +Add user.

Now, Select “Privileged Role Administrator”

Select your global administrator or any other administrator, who should be responsible for Privileged Identity Management.

Once, it is assigned. You can see that user has “Privileged Role Administrator” enabled in Eligible mode.

If the user logins and go to the users under Azure AD directory roles, he can observe that he can activate the assigned role for the time being. By default, the access will be given for an hour. Click on highlighted message to activate the role

Before, activating the role you must verify your identity through MFA. Click on the highlighted sections to verify your identity.

Now, your identity will be verified through MFA. (Note: MFA should be configured otherwise you will be asked for setting up the MFA first for this user)

Once, Identity will be verified the you get an option to Activate it. (Note: if you don’t reach to this option by default then retry one more time with verifying my identity then by default you will reach on this prompt.) Click on Activate to enable the privilegess.

Once, you click on activate. You have to provide the reason for activation and then click on OK.

Once activated, you can use the privileges. By default, this role will be activated for an hour.

If you like to provide this role permanently to this user then go back to your existing privilege administrator or subscription administrator and click on “Privileged Role Administrator”.

Now, click on more and select “Make perm” to make this role permanent for this user.

Now, you can see that this role has been assigned permanently to this user.

Once, this user will login with his Identity then he will observer that he has been enabled permanently and there is no need to activate this role for short period of time.

#AzureAD : Identity Protection Part I

Microsoft Azure Active Directory has become a backbone for many cloud services. As Identity is a key for technology landscape similarly protection is also most important for digital world. To enable this service, Microsoft Azure AD Premium P2 offers identity protection. It detects potential vulnerabilities and actions can be defined in two ways either automatic or can be taken based on suspicions incidents.

In conversations, it looks very easy when you listen explanation from Technical sales representative but it is not that easy. Microsoft Azure AD uses machine learning and heuristics to detect irregularities and suspicious incidents that helps to identify potentially compromised identities. It does not provide protection only to privileged account but covers all the identities. Therefore, a huge data can be collected to generate reports and to perform analysis that helps to identify ambiguities in the system and potential vulnerabilities. Mitigation and remediation actions can be defined based on the detected issues by using risk-based policies. These policies are add-on to the conditional access provided by Azure AD and EMS, it can take either block the suspicious identities or initiate a remediation actions including password reset and MFA enforcement.

Here are the capabilities provided identity protection:

Detecting vulnerabilities and risky accounts Investigating risk events Risk-based conditional access policies
  • Providing custom recommendations to improve overall security posture by highlighting vulnerabilities
  • Sending notifications for risk events
  • Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges
  • Calculating sign-in risk levels
  • Investigating risk events using relevant and contextual information
  • Policy to block or secure risky user accounts
  • Calculating user risk levels
  • Providing basic workflows to track investigations
  • Policy to require users to register for multi-factor authentication
  • Providing easy access to remediation actions such as password reset
  • Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges

Courtesy: Microsoft Azure Documentation

In many organizations, identity protection comes under security or risk management team. Therefore, it is more practical to have role based access control to manage these kinds of services. However, if identity management team itself take care of identity protection, still to define RBAC make sense because it makes administrators accountable and responsible. Azure AD identity protection provides three types of role to manage it.

Role Can do Cannot do
Global administrator Full access to Identity Protection, Onboard Identity Protection
Security administrator Full access to Identity Protection Onboard Identity Protection, reset passwords for a user
Security reader Read-only access to Identity Protection Onboard Identity Protection, remidiate users, configure policies, reset passwords

Courtesy: Microsoft Azure Documentation

Let see how to enable it. Before proceeding it further, make sure you have Azure AD Premium P2 enabled for your tenant.

Login to the https://aad.portal.azure.com and go to the More services.

In more services, select Azure AD Identity Protection.

In Azure AD Identity Protection – Getting started page, select “Onboard”

In this panel, make sure you have right directory selected and then click on create.

Once it is enable, you can see the analysis.

If you want to explore more to review the permanent admin roles, go to the overview and click on “Identify users who are assigned to permanent admin role” to configure Privileged identity management.

In the configure premium extensions panel, select “Configure PIM”

You need MFA to configure PIM. If you are enabled for MFA, click on verify my identity. It will redirect to you to configure MFA.

Once MFA has been configured successfully, you can see the status as below. Now click on Sign up.

In sign up window, select yes to sign up for Privileged Identity Mangement.

Once, configuration and discovery completes you can verify your roles.

To verify all the users who have PIM roles assigned or to add any other user to manage PIM, select Roles under Manage.