PIM (Privileged Identity Management)

PIM(P) your role


Sometimes you just come across an awesome feature in Azure. I find PIM (Privileged Identity Management) to be one of them. Let's discuss a scenario.

Your the IT Manager of a big/small company and want to have someone from outside/inside the company to create something in Office 365. However you want to prevent this user from being able to have Admin credentials after the job is done. Normally you would have to keep an overview of who has admin rights in Office 365 and remove the permissions once their done. Here is where Privileged Identity Management comes into place.

 I've had a few companies that granted me Admin rights but once I was done didn't take me of the list. I could access the admin center even a YEAR later. I told them but this could have been prevented by using PIM.

Question: Do you keep track of everyone that is Admin of some sort in Office 365 (e.g. Global, SharePoint, Exchange, Skype etc.)? 

 I find PIM a good way to manage this problem. With PIM you can give users a certain role that has an expiration date. You can manage who has the role and can re-track it if you find it's not of use anymore. Don't expect the role to give you access right away, it takes a short while to get the access you wanted in the beginning.

Below I've mentioned some features I find really usefull in PIM.

Roles

To see what roles are available for PIM click here.

Expiration

You can set the time an account is active for in certain hours. This can be between the 1 and 72 hours. This is a great feature in PIM because you'll always be sure that certain people don't have anymore access to Office 365 after the time expired. I did however find it a downside because you have to re-activate it in order to become admin again.

Incident/request Ticket

As I said before, you have an issue in Office 365 and need it fixed. You could ask the eligible admin to enter a incident or request ticket to see why that person had access to Office 365. That way you can keep track easily.

Multi factor authentication

MFA is something you cannot disable for high privileged roles for Azure AD and Office 365. But this is something that you should have activated anyway. I think it's a good thing that Microsoft forces everyone that wants to log-in as a privileged role should use MFA. That way you can be sure that the security is the highest level.

Activate or Pause

A role can be activated and paused when necessary this gives the user control over the period of time. Say that a user has been granted the Admin role but doesn't need it now at this moment they can pause it use it later on or de-activate it. The admin of PIM can also retract the permission if they feel it's necessary.

Azure AD premium plan 2

To be able to use this feature you'll need to have an Azure AD premium plan 2 subscription. See this link for more information on the subscriptions available and the features that come with it.

In my next blog I'll talk a little more about PIM and show some screenshots etc..

References:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-identity-management-getting-started
https://azure.microsoft.com/en-us/pricing/details/active-directory/

Comments

Post a Comment

Popular posts from this blog

Azure Information Protection (AIP)

Image
Let's start with one of my favorites (till now). Azure Information Protection (or AIP). Just imagine the following example: You are working on your Word document and you want to send this document to an external person. You e-mail that document as an attachment. The person opens this document, reads it and puts it on an USB stick to take with him. The USB stick get's lost! Now the document can have fallen into the wrong hands! Now what? OK this is a little bit of a roman but hey it could happen! Active Director Rights Management  First let us go back in time to when AIP didn't exist and there was  Active Directory Rights Management Services .  This was a server role that could be installed on Windows Server 2008 R2, it exists since Windows server 2003! Back then it was called RMS. The RMS client is available  from Windows 2000 and later. So what does RMS do? To explain in simple English: Information with RMS on it has certain policies with it  that would remain
Read more

Tiles modern UI

Image
Back in SharePoint 2013 Microsoft introduced "Promoted links" a feature which enabled users to create tiles quick and easy without any custom code. Since then I've seen Promoted links being used a lot of ways, some better than others. However creating tiles with an image in the background was always a nasty thing to do. People would use the weirdest images as background to indicate what it was, totally not user friendly. Especially the choice of the color was very "weird" you would have tiles with all sort of colors and images (see image below as an example). Promoted links always had one big problem; Scaling! It's not responsive in a way you would want to have it. Since Microsoft introduced Modern UI they have also introduced the webpart "tiles". Tiles enables the user to create custom tiles within their SharePoint site, quick and easy. Cool features of the Tiles webpart. Tiles are responsive! They resize when the screen gets smalle
Read more

Azure Active Directory (AAD)

Image
In my last post I talked about Azure Information Protection (AIP). It was a way of getting a good sense of security in the Cloud. Today I want to talk about a very important feature in Azure: Azure Active Directory (AAD). AAD is a good place to start with security. Users that are allowed or prevented from logging in is your first line of defense. In preview AAD is not something radically new. Microsoft created the Management portal om the new Azure Portal to make it look and feel like the new portal. At this moment the most users will have to use the old portal for AAD but once the new management portal is out of preview we are good to go! What has changed? So who cares? It's a new Mangement portal for AAD. To be honest nothing has really changed, Microsoft just changed the look & feel of the new portal. 3 versions There are 3 versions of the AAD: Free, Basis and Premium. See the link below to decide what versions of AAD you need. Overview AAD subscriptions F
Read more