Planning, configuring, and monitoring PIM

Azure AD Privileged Identity Management (PIM) enables you to take greater control of your privileged accounts within Azure AD. So, what exactly is a privileged account? Essentially, this is any user account within your Microsoft 365 environment that grants elevated privileges above the scope of a standard user.

By default, Microsoft 365 standard user accounts are created without any sort of administrative privileges. However, it may be necessary to grant certain users elevated privileges to be able to carry out their jobs. There are a number of built-in administrator roles within Microsoft 365 for this, including the following:

• Billing Administrator
• Exchange Administrator
• Global Administrator
• Helpdesk Administrator
• Service Administrator
• SharePoint Administrator
• Teams Administrator
• User Administrator

  Important note

  The preceding roles are the core admin roles in Microsoft 365. There are others available, and a link to a document that includes information on all of these has been included in the References section at the end of this chapter.

Let's examine how you can plan for PIM in your organization.

Planning PIM

PIM provides you with the ability to control and monitor access to your resources in Azure AD by minimizing the number of users who have permanent administrative access with admin roles such as those described previously. Reducing the number of permanent administrative accounts has the obvious benefit of reducing your attack surface, and therefore reducing the risk of a malicious actor gaining access to your resources.

However, there will undoubtedly be a business requirement for certain users to perform administrative tasks within Azure AD from time to time, and this is where PIM comes into play. PIM can allow you to provide just-in-time (JIT) privileged access to your resources in Azure AD, which will help prevent the risk of access rights becoming compromised and misused in any way.

When thinking about your users, who may require occasional admin access to Azure resources, consider how the following features of PIM allow you to configure them:

• JIT privileged access to activate roles
• Time-bound access (using start and end dates)
• An approval process for privileged role activation requests
• The requirement for MFA when activating certain roles
• A justification process where users must explain why they require a privileged role
• Notifications to alert you when privileged roles are activated
• Access reviews to assess ongoing requirements for privileged roles

PIM must be explicitly activated in the Azure portal. The Azure administrator who sets up PIM is automatically granted the Security Administrator and Privileged Role Administrator roles in Azure AD. PIM rules can only be assigned by role, not by user. This means that it is currently not possible to have different rules for internal and external users.

To access the PIM feature, go to the Azure portal and search for Azure AD Privileged Identity Management, as follows:

Figure 4.19 – Searching for Privileged Identity Management

Here, you will be directed to the PIM console:

Figure 4.20 – Privileged Identity Management

In this example, which is from my own tenancy, you can see that in addition to being a Global Administrator, my Azure AD account has been granted two roles associated with PIM. We can verify this by choosing My Roles | Active Roles:

Figure 4.21 – Assigned Azure AD roles

As a PIM administrator, you can grant other administrators the ability to manage PIM, Azure AD Roles, and Azure Resources, as shown in the following screenshot:

Figure 4.22 – Managing roles and resources

As a PIM administrator, you can also allow other users to be Approvers, who can then view and approve/reject requests from users to elevate their privileges. Additionally, it is possible to make specific users eligible for privileged roles so that they can request access to them on a just-in-time basis.

Important note

In order to use the features of Azure AD PIM in your Microsoft 365 environment, you must have an Azure AD Premium P2, Enterprise Mobility + Security E5, or Microsoft 365 E5 license for all users who wish to leverage the feature. The Microsoft 365 E5 Security add-on may also be added to use Azure AD PIM, but this must be used in conjunction with a Microsoft 365 E3 subscription

Now that you understand what PIM is and the considerations for planning its deployment, let's move on and start configuring PIM.

Configuring PIM

When running PIM for the first time, the first thing you may need to do is enable and consent to PIM. Since early 2020, this step has been removed from many Microsoft 365 tenants, but should you still encounter the requirement to consent to PIM, you can achieve this by completing the following steps:

1. Sign in to the Azure portal as a Global Administrator.
2. Search for Privileged Identity Management and click to open the PIM pane.
3. Click the option to Consent to PIM:
   

   Figure 4.23 – Consenting to PIM

4. Next, you will need to select Verify my identity and confirm your account by using MFA. If you have not registered for MFA, this wizard will walk you through the steps regarding how to set it up:
   

   Figure 4.24 – Verifying your identity

5. When you've completed the MFA registration process, you will see the following screen:
   

   Figure 4.25 – MFA registration process

6. Once you have done this, click the Consent button, and then click on Yes:

Figure 4.26 – Consenting to PIM

PIM is now enabled, with you as the first/primary administrator. You now need to sign up PIM for Azure AD roles. To do this, you need to follow these steps:

1. Open Privileged Identity Management in the Azure portal.
2. Select Azure AD roles and click Sign up:
   

   Figure 4.27 – Sign up PIM for Azure AD Roles

3. Click Yes if prompted:
   

   Figure 4.28 – Sign up for Privileged Identity Management

4. The sign-up process is now complete and everything should be enabled.

   Important note

   Remember that the preceding steps to consent to PIM and sign up PIM for Azure AD Roles may no longer appear in some tenants as Microsoft have changed this experience. The steps are included in this book in the event that you still encounter them in your testing.

Now, you will be able to perform tasks within PIM and manage roles and resources. The actions available to you as a PIM Administrator can be viewed under the Tasks and Manage sections of the PIM portal, as shown in the following screenshot:

Figure 4.29 – Tasks and Manage settings

Let's examine the options in these sections in greater detail to understand what they can do.

Tasks:

• My roles: Shows the active roles that are assigned to you and any roles you are eligible for
• Pending requests: Shows your pending requests to activate eligible role assignments
• Approve requests: Shows a list of activation requests from other users that you will need to action, approve, or deny
• Review access: Shows any access reviews that are assigned to you. You will see access reviews here for yourself and for other users

  Important note

  Azure AD Access Reviews were covered in detail earlier in Chapter 2, Authentication and Security.

Manage:

• Roles: PIM administrators can use this dashboard to manage role assignments. Only PIM administrators can see this dashboard.
• Members: PIM administrators can use this section to search for Azure AD users and check which roles they are eligible for. They can also add new role assignments to members from here.
• Alerts: PIM administrators can use this dashboard to view any administrators who are not using their privileged roles, potential stale accounts in a privileged role, and warnings if there are too many Global Administrators.

So, now that we have PIM enabled and understand the Tasks and Manage options within the PIM pane in Azure, let's look at PIM in action and configure some of the common settings. These will include the following:

• Making a user eligible for a role
• Making the role assignment permanent
• Removing a role assignment
• Approving a role request

Making a user eligible for a role

In this example, we will assign the role of Billing Administrator to one of our users (Jane Bloggs) in Azure AD. In the first instance, we will make the user eligible for the role so that it can be activated as and when required. However, there may be occasions where the user requires the role permanently to do their job. In order to demonstrate this, we will also demonstrate how to change the role assignment so that it's permanent.

Here are the steps you need to follow in order to make a user eligible for a role:

1. Open the PIM pane in the Azure portal.
2. Select Manage | Roles. You will be able to see a list of all the available roles that can be assigned:
   

   Figure 4.30 – Azure AD Roles

   Important note

   If you select Members, you will be able to see a list of which users are already assigned to the various roles and whether the assignments make the user eligible or are permanent.

3. Now that we have our list of roles available, we need to find and select the Billing Administrator role from the list:
   

   Figure 4.31 – Finding a role

4. Under Assignments, click on Add member. This will take you to the Member list for this role so that you can add the required user:
   

   Figure 4.32 – Adding the required user to the role

5. Click on Select a member and search for the name of the required user (in this case, Jane Bloggs). Click Select; you will see the following options:
   

   Figure 4.33 – Adding members to the role

6. You can choose to make the user permanently eligible for the role here or set a duration for eligibility. In this example, we will make the user permanently eligible. Click Save, and then click Add. You may need to refresh the page. Then you should see the user appear as eligible for the role, as shown in the following screenshot:
   

   Figure 4.34 – Viewing user eligibility

7. Jane can now log in to the Azure portal herself and navigate to Tasks | My Roles. Then, under Azure AD roles, she can activate her eligible role by clicking Activate. This is illustrated in the following screenshot:
   

   Figure 4.35 – Activating a role

8. Next, Jane needs to choose an activation duration. The duration is set to 1 hour initially; however, the user can set a shorter duration if less time is needed. She will also need to enter a reason for activating the role and then click on Activate, as shown in the following screenshot:
   

   Figure 4.36 – Selecting activation duration

9. The activation request will start processing:
   

   Figure 4.37 – Activation process

10. If there are no issues, activation will be completed:
    

    Figure 4.38 – Activation completion

11. Jane should now sign out and then log back in. By doing this, she will have access to the Billing Administrator role for the 1-hour duration and have permanent eligibility for the role.

    Important note

    Eligible users will be asked to set up MFA on their Azure AD account as part of this process if they are not already registered for MFA.

If the eligibility period had not been permanent, then it would expire, and access to the Billing Administrator role would be removed from Jane's account.

Additionally, the PIM administrator can track that Jane has activated the role and can check what time it's due to expire.

The settings we have configured are shown in the following screenshot:

Figure 4.39 – User eligibility for a role

Removing a role assignment

Removing a role assignment is just as simple for the PIM administrator and can be achieved as follows:

1. Open the Billing Administrator assignments page once again, as shown in the previous screenshot, and select the user that you wish to remove the role assignment from. Click Remove. You will be asked to confirm the removal, as shown in the following screenshot:
   

   Figure 4.40 – Removing a role assignment

2. Click Yes. By doing this, the user will be removed as a member and will no longer have either permanent access or eligibility for the selected role.

Approving a role request

In the preceding example, where we made the user Jane Bloggs eligible for the Billing Administrator role, the role was automatically activated for her when she requested it. To add another layer of protection to this process, it is possible to configure the requirement for approval for each of the role settings. Let's see how this process works with the same user and role:

1. From the PIM pane in the Azure portal, navigate to Manage | Settings, as shown in the following screenshot:
   

   Figure 4.41 – Role settings

2. Select Billing Administrator from the roles list, and then click Edit:
   

   Figure 4.42 – Setting a role to require approval

3. Select the Require approval to activate checkbox, as shown in the following screenshot. You will have the option to select a specific user to be the approver for this role. If you do not select an approver here, the PIM administrator or Global Administrators will be set as the approvers by default:
   

   Figure 4.43 – Approver settings

4. Click Update to commit the changes.
5. Next, we make our user, Jane Bloggs, eligible for the Billing Administrator role again, and when she goes to activate the role.
6. The request to activate the role can be viewed by the PIM Administrator in the PIM pane of the Azure portal, under Tasks | Approve requests, as shown in the following screenshot:
   

   Figure 4.44 – Approve requests

7. The request will be shown as per the following screenshot:
   

   Figure 4.45 – Approving requests

8. The approver also receives an email alert to inform them about the user request, as shown in the following screenshot:
   

   Figure 4.46 – Approval email

9. The approver can click on the link in the email to Approve or deny the request. Alternatively, they can go to the Azure portal, access the PIM pane, select the request, and choose Approve, as shown in the following screenshot:
   

   Figure 4.47 – Approving the request

10. The role has now been activated and the approver will receive an email confirming their approval action, as shown in the following screenshot:
    

    Figure 4.48 – Approver notification of activation by user

11. The user will also receive an email confirmation and can check Azure AD roles | Active roles to see that the role approval and activation has been successfully completed, as shown in the following screenshot:

Figure 4.49 – Role approved and activated for the user

Important note

It is also possible to use PowerShell to configure PIM. There are some references to this at the end of this chapter.

Now, you should have a good grasp of the steps required to configure PIM. You have learned how to configure PIM, as well as the Task and Manage features available within PIM. We demonstrated how to make users eligible for privileged roles, how to make the roles permanent when required, how to approve or deny user activation approval requests, and how to remove role assignments from user accounts.

To conclude this chapter, we will show you how to monitor PIM and review audit history.

Monitoring PIM

Privileged Identity Management provides several ways in which you can monitor it to ensure that it is being used in an appropriate manner. PIM administrators are able to view activity, audit trails, and activation events for roles within Azure AD.

In order to view alerts within PIM, you will need to complete the following steps:

1. Open the PIM pane from the Azure portal and choose Azure AD roles from the Manage section, as shown in the following screenshot:
   

   Figure 4.50 – Managing Azure AD roles

2. Select Alerts from the Manage tab, as shown in the following screenshot:
   

   Figure 4.51 – Alerts

3. Here, you can review the recorded alerts that relate to PIM. Each alert has an alert name, as shown in the following screenshot:
   

   Figure 4.52 – Reviewing alerts

4. Clicking on each alert will give you more information about them, as shown in the following screenshot:
   

   Figure 4.53 – Alert details

5. If you are comfortable with the alert, you can simply dismiss it. Alternatively, you can choose to fix it, which will resolve the alert once you have taken the corrective steps.

We are also able to review My Audit History from the Activity section. Here, we can see the recent actions that have been processed in detail:

Figure 4.54 – My audit history

Important note

The audit history can be exported to a .csv file in order to make it easier to read, sort, and search.

So, in this section, we have shown you how you can monitor PIM within your Azure AD environment, as well as how you can check for stale accounts and administrators who are not using their privileged roles. It is important to constantly monitor PIM to ensure that privileged roles are being used appropriately and that the principle of least privilege is being applied where possible.