Activate Azure Privileged Identity Management

Privileged Identity Management (PIM)

Privileged Identity Management (PIM) is a Microsoft product service in Azure Active Directory (AAD), that enables you to manage, control, monitor, and access to Azure resources. PAM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to the Azure resources. Access can be time-bound after which privileges are revoked automatically.

Prerequisites: Azure AD Premium P2 License or EMS E5 license is required for configuring Azure AD PIM.

Who can assign Azure AD PIM Role to the user?

Azure users or group members with only Global Administrator access or Privileged Role Administrator can only assign or manage users. User with Privileged Role Administrator can manage role assignments of Azure AD and Azure AD PIM.

Azure AD Administration Accounts

Each user that requires administrative access to AAD or Azure resources, will make use of just one personal administrative account. This administrative account will be a different Azure Active Directory account than the Active Directory user personal account.

PIM will be used to manage the administrative roles for each administrative account. It can manage both Azure Active Directory roles and Azure RBAC roles.

Regarding the assignment of the administrative roles, the RBAC roles will be assigned to an Azure Active Directory group where possible, instead of single Azure Active Directory or Active Directory administrative accounts. The Azure Active Directory roles will be instead assigned to each administrative Azure Active Directory or Active Directory accounts.

Check this out to learn more about Azure Lighthouse

Azure AD PIM Assignments

The administrative access for Active Directory Users will be managed using Azure Privileged Management (PIM). The Azure AD privileged identity management tool helps you stay secure by enabling just enough access at just the right time. Partners or the users get the elevated level of access only when they need it.

Few Azure PIM Role Assignment Examples:

  • Global Administrator
  • Global Reader
  • Application Administrator
  • User Access Administrator
  • Security Admin
  • Security Manager,...,etc.

Azure AD PIM Assignment Type:

  • Eligible assignments
  • Active assignments

Activate Role Assignment in PIM

Azure AD user with eligible role administrator can activate their role in Azure Privileged Identity Management when ever required and their permissions expire once the maximum duration completes. Azure PIM support custom and built-in Azure AD roles.

To activate azure PIM eligible assignment just follow the below steps to get started:

Activate elevated level of access with Azure PIM

Step 1: Login to Azure Portal

Step 2: In azure global search, type in 'PIM' or 'Privileged Identity Management' >> access the service and click on Activate in Activate just in Time section. Refer below image. 

(or)

Access the PIM >> navigate to Tasks >> select My roles 

Azure Privileged Identity Management

Step 3: After you access My roles >> select Eligible Assignments >> check your PIM Eligible role Assignments

Azure Privileged Identity Management Eligible Assignment

Step 4: Next, select your PIM Eligible role Assignment >> click on 'Active' >> set time and provide business justification reason in the description and click on 'Activate' button to continue

Activate Azure Privileged Identity Management Eligible Assignment

Step 5: Check the Status. Once the final stage complete your browser will automatically refresh. You don't have to sign-out and login again.

Check Activate Status of Azure PIM Eligible Assignment

Now Open Azure AD or Select Azure Scope to view your azure services.

Note: If no role has been assigned or to get the access ask your azure global administrator to provide a sufficient Azure AD roles in Privileged Identity Management.

Renew Azure AD Role Assignment in PIM

Follow the steps to renew Azure AD Role Assignment in Privileged Identity Management (PIM). Get started!

Step 1: Access the Azure Portal

Step 2: Go to 'PIM' or 'Privileged Identity Management' from Azure global search >> navigate to Tasks and select My roles.

Step 3: After you access My roles >> select Expired Assignments tab>> check your PIM Eligible role Assignments >> select your Azure AD Eligible role Assignment (Example: Global Reader) >> click on renew under Action column.

renew azure ad eligible role in pim

Step 4: provide renew Reason to grant access permissions >> click on Renew button.

renew azure ad eligible role assignment in pim

What is Privileged Access Management?

Privileged access management (PAM) is an identity security solution that helps protect organizations against cyberthreats by monitoring, detecting, and preventing unauthorized privileged access to critical resources. PAM works through a combination of people, processes, and technology and gives you visibility into who is using privileged accounts and what they are doing while they are logged in. Limiting the number of users who have access to administrative functions increases system security while additional layers of protection mitigate data breaches by threat actors.

Use of Privileged Access Management:

Privileged Access Management (PAM) protect individuals or organization from cyberthreats by monitoring, detecting, and preventing unauthorized privileged access.

Examples of Privileged Access Management (PAM) accounts:

  1. Local Administrative Accounts: Non-personal accounts providing administrative access to the local host or instance only. 
  2. Domain Administrative Accounts: Privileged administrative access across all workstations and servers within the domain.

Features of Privileged Access Management:

The misuse of privileged access is a cybersecurity threat that can cause serious and extensive damage to any organization. A PAM solution offers robust features to help you stay ahead of this risk.

  • Provide just-in-time access to critical resources
  • Allow secure remote access using encrypted gateways in lieu of passwords
  • Monitor privileged sessions to support investigative audits
  • Analyze unusual privileged activity that might be harmful to your organization
  • Capture privileged account events for compliance audits
  • Generate reports on privileged user access and activity
  • Protect DevOps with integrated password security

Microsoft Reference: