We’re going to take a break from Azure Information Protection and shift our focus to Azure Active Directory Privileged Identity Management (AAD PIM).
If you’ve ever had to manage an application, you’re familiar with the challenge of trying to keep a balance between security and usability when it comes to privileged access. In many cases you’re stuck with users that have permanent membership in privileged roles because the impact to usability of the application is far too great to manage that access on an “as needed basis” or as we refer to it in the industry “just in time” (JIT). If you do manage to remove that permanent membership requirement (often referred to as standing privileged access) you’re typically stuck with a complicated automation solution or a convoluted engineering solution that gives you security but at the cost of usability and increasing operational complexity.
Not long ago the privileged roles within Azure Active Directory (AAD), Office 365 (O365), and Azure Role-Based Access Control had this same problem. Either a user was a permanent member of the privileged role or you had to string together some type of request workflow that interacted with the Graph API or triggered a PowerShell script. In my first entry into Azure AD, I had a convoluted manual process which involved requests, approvals, and a centralized password management system. It worked, but it definitely impacted productivity.
Thankfully Microsoft (MS) has addressed this challenge with the introduction of Azure AD Privileged Identity Management (AAD PIM). In simple terms AAD PIM introduces the concept of an “eligible” administrator which allows you to achieve that oh so wonderful JIT. AAD PIM is capable of managing a wide variety of roles which is another area Microsoft has made major improvements on. Just a few years ago close to everything required being in the Global Admin role which was a security nightmare.
In addition to JIT, AAD PIM also provides a solid level of logging and analytics, a centralized view into what users are members of privileged roles, alerting around the usage of privileged roles, approval workflow capabilities (love this feature), and even provides an access review capability to help with access certification campaigns. You can interact with AAD PIM through the Azure Portal, Graph API, or PowerShell.
To get JIT you’ll need an Azure Active Directory Premium P2 or Enteprise Mobility and Security E5 license. Microsoft states that every use that benefits from the feature requires a license. While this is a licensing requirement, it’s not technically enforced as we see in my upcoming posts.
You’re probably saying, “Well this is all well and good Matt, but there is nothing here I couldn’t glean from Microsoft documentation.” No worries my friends, we’ll be using this series to walk to demonstrate the capabilities so you can see them in action. I’ll also be breaking out my favorite tool Fiddler to take a look behind the scenes of how Microsoft manages to elevate access for the user after a privileged role has been activated.