PIM part 2
What a way to start of the month with another Blog on Privilege Identity Management (PIM), great stuff! In my last blog on PIM here I talked about some of the features that are possible. In this blog I want to talk about whats inside, how does it look and feel. Let's start by the beginning.
3. There you go that wasn't very hard now? Let's continue by selecting the Role you want to define further. Click on "Global administrator" and click on Next.
4.You can now choose the people you want to make eligible for this role. Note: Eligible means this person only has this role for a period of time not permanent.
5. Click on Next to see the last screen and to confirm by clicking Ok. Your all done now.
So now you enter the PIM environment. There is already a new look & feel in the Azure portal so click on Try the new navigation to checkout the new look & feel.
The new look & feel looks like this.
Here on this site you direct view on a few things like:
PIM Starting
1. Activating PIM - to do this you should have Azure AD premium Plan 2! If you don't have this you can request a 30 day trial. Once you have that up and running the next step is to activate PIM.4.You can now choose the people you want to make eligible for this role. Note: Eligible means this person only has this role for a period of time not permanent.
5. Click on Next to see the last screen and to confirm by clicking Ok. Your all done now.
So now you enter the PIM environment. There is already a new look & feel in the Azure portal so click on Try the new navigation to checkout the new look & feel.
The new look & feel looks like this.
Here on this site you direct view on a few things like:
- How much percent of the roles are eligible and how many are not
- The alerts you can configure this by clicking on Settings > Alerts.
- Audit history is a cool one, you get to see how much has been times the request for a role has been activated
Audit History
How many activations are happening per day and who is activating his or her role. The reasoning is also visible here. To retract users from their role however you should go to Review access not here.
Role settings
You can define certain settings per role. Click on the role in the Managed > Azure AD Roles and then on Settings to enable certain features for that specific role.
- Maximum of time that the role is activated (from 0.5 hours till 72 hours)
- Notifications - notify the administrator if this role has been activated
- Incident/request ticket - A nice way to make sure it clear that the role has been activated for a certain job someone had to do
- MFA - This is enabled by default for Admin roles
- Require approval - it could be that a role request needs to be approved, this can be enabled here.
Conclusion
So many awesome things to see here. For a fully secured environment this is the way to go. Prevent admin accounts being active forever, use Privileged Identity Management!
Comments
Post a Comment