Controlling, monitoring, and revoking access to privileged accounts can be a difficult process. Recently my coworker Ken Kilty shared with me a new service for Azure Active Directory called Privileged Identity Management (Azure AD PIM). After spending some time with it I wanted to share with a broader audience since I had never heard of it previously.
Please read the What is Azure AD Privileged Identity Management first for a good overview of implementation, example scenario, and additional links to resources. Note that Azure AD PIM requires Azure AD Premium P2 licenses. If you would like to test this out there is a free 30 day trial of Azure AD Premium P2 for up to 100 users.
Granting administrator access, for any application or server, to users should always be done with caution. Sometimes what starts out as a temporary elevation of permissions turns into a permanent assignment. Azure AD PIM answers many of the tough questions for Azure AD, Office 365, and related services such as:
- Who has admin access to <service X>?
- How do I grant truly temporary access to <service Y>?
- How can I review all current admins to see if they still need admin access?
The goal with Azure AD PIM is to allow administrators to define either permanent or “eligible” assignment of specific elevated permissions within Azure and Office 365. Currently there are 21 roles that can be managed such as Global Administrator, Password Administrator, SharePoint Service Administrator, Exchange Administrator, and more. See Assigning administrator roles in Azure Active Directory for a more complete listing of roles. Users who are defined as “eligible” will be able to elevate themselves to roles they have been assigned for a set number of hours (1-72) defined by a Azure AD PIM administrator. During this role elevation process the “eligible” user will need to verify their identity through a text / call verification or multifactor authentication (MFA) mechanism. One of the key advantages is that this entire interaction is tracked and auditable. Administrators can even require an incident or service ticket number prior to elevation and receive alerts when elevation requests are processed.
I have seen privileged role access handled in many different ways at customers over the years. Having a consistent and auditable process ensures that changes can be tracked and users who no longer need elevated permissions can be removed. In the time I’ve tested out Azure AD Privileged Identity Management I am very happy with the overall process and review options. One word of advice for users elevating yourself. You will need to log out and log back in in order to update your claim token with the new elevated role claims. Give Azure Active Directory Privileged Identity Management a try and share any feedback in the comments below.