Azure AD Privileged Identity Management Capabilities
In this tutorial, we will learn about Azure AD Privileged Identity Management Capabilities.
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.
Reasons to use
Organizations want to minimize the number of people who have access to secure information or resources. This is because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Azure AD, Azure, Microsoft 365, or SaaS apps. Organizations can give users just-in-time privileged access to Azure resources and Azure AD.
What does it do?
Some key features of Privileged Identity Management:
- Firstly, provide just-in-time privileged access to Azure AD and Azure resources
- Secondly, assign time-bound access to resources using start and end dates
- Thirdly, require approval to activate privileged roles
- Then, enforce multi-factor authentication to activate any role
- Next, use justification to understand why users activate
- Lastly, get notifications when privileged roles are activated
Who can do what?
- Firstly, for Azure AD roles in Privileged Identity Management, only a user who is in the Privileged role administrator or Global administrator role can manage assignments for other administrators. You can grant access to other administrators to manage Privileged Identity Management. However, Global Administrators, Security Administrators, Global readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.
- Secondly, for Azure resource roles in Privileged Identity Management, only a subscription administrator, a resource Owner, or a resource User Access administrator can manage assignments for other administrators. Users who are Privileged Role Administrators, Security Administrators, or Security Readers do not by default have access to view assignments to Azure resource roles in Privileged Identity Management.
Scenarios
Privileged Identity Management supports the following scenarios:
1. Privileged Role administrator permissions
- Firstly, enable approval for specific roles
- Secondly, specify approver users or groups to approve requests
- Lastly, view request and approval history for all privileged roles
2. Approver permissions
- Firstly, view pending approvals (requests)
- Secondly, approve or reject requests for role elevation (single and bulk)
- Lastly, provide justification for my approval or rejection
3. Eligible role user permissions
- Firstly, request activation of a role that requires approval
- Then, view the status of your request to activate
- Lastly, complete your task in Azure AD if activation was approved
Reference: Microsoft Documentation