PIM (Privileged Identity Management)
PIM(P) your role
Sometimes you just come across an awesome feature in Azure. I find PIM (Privileged Identity Management) to be one of them. Let's discuss a scenario.
Your the IT Manager of a big/small company and want to have someone from outside/inside the company to create something in Office 365. However you want to prevent this user from being able to have Admin credentials after the job is done. Normally you would have to keep an overview of who has admin rights in Office 365 and remove the permissions once their done. Here is where Privileged Identity Management comes into place.
I've had a few companies that granted me Admin rights but once I was done didn't take me of the list. I could access the admin center even a YEAR later. I told them but this could have been prevented by using PIM.
Question: Do you keep track of everyone that is Admin of some sort in Office 365 (e.g. Global, SharePoint, Exchange, Skype etc.)?
I find PIM a good way to manage this problem. With PIM you can give users a certain role that has an expiration date. You can manage who has the role and can re-track it if you find it's not of use anymore. Don't expect the role to give you access right away, it takes a short while to get the access you wanted in the beginning.
Below I've mentioned some features I find really usefull in PIM.
Roles
To see what roles are available for PIM click here.Expiration
You can set the time an account is active for in certain hours. This can be between the 1 and 72 hours. This is a great feature in PIM because you'll always be sure that certain people don't have anymore access to Office 365 after the time expired. I did however find it a downside because you have to re-activate it in order to become admin again.Incident/request Ticket
As I said before, you have an issue in Office 365 and need it fixed. You could ask the eligible admin to enter a incident or request ticket to see why that person had access to Office 365. That way you can keep track easily.Multi factor authentication
MFA is something you cannot disable for high privileged roles for Azure AD and Office 365. But this is something that you should have activated anyway. I think it's a good thing that Microsoft forces everyone that wants to log-in as a privileged role should use MFA. That way you can be sure that the security is the highest level.Activate or Pause
A role can be activated and paused when necessary this gives the user control over the period of time. Say that a user has been granted the Admin role but doesn't need it now at this moment they can pause it use it later on or de-activate it. The admin of PIM can also retract the permission if they feel it's necessary.Azure AD premium plan 2
To be able to use this feature you'll need to have an Azure AD premium plan 2 subscription. See this link for more information on the subscriptions available and the features that come with it.In my next blog I'll talk a little more about PIM and show some screenshots etc..
References:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-privileged-identity-management-getting-started
https://azure.microsoft.com/en-us/pricing/details/active-directory/
Comments
Post a Comment