Exploring Azure AD Privileged Identity Management (PIM) – Part 4 – Access Review and Azure RBAC

Posted on June 18, 2018 by mattfeltonma

Access Reviews

Welcome to my final post on Azure Active Directory Privileged Identity Management (AAD PIM). Over this series of posts I’ve provided an overview of the service, guidance on how to set the service up, and a deep dive and look at the user and approver experience. We’ll wrap up the series by looking at the Access Review feature, take an intermission to look at a new feature, and wrap up with reviewing the Azure RBAC integration.

We have a lot to cover, so let’s jump into it.

As a quick refresher, I’ll be using my Journey Of the Geek tenant. Within the tenant I have some Office 365 E5 and EMS E5 licenses provisioned. Our admin user will be initiating the access review and Homer Simpson will acting as a reviewer.

I first log into the Azure Portal as the admin user and open up the AAD PIM shortcut from my dashboard. Once the application opens, I’m going to navigate to the Azure AD directory roles option.

After selecting the option my main menu is refreshed to show the management options for the various AAD PIM features. As a quick refresher, let’s look at the settings I’ve configured for Access Reviews in my tenant. We navigate to those Settings by clicking the Settings option as seen below and selecting Access Reviews.

As you can see from the settings in the screenshot below, my tenant is set to send mail notifications to reviewers when a review is started and to admins when it finishes. It’s also configured for reminders to be sent out to reviewers who haven’t yet completed their review. I’ve configured reviewers to provider a reason as to why continued access to a privileged role needs to be maintained. This is a great little option to capture the business requirements behind the access. Finally, my access reviews are configured to run a total of 30 days.

Let’s navigate back to the Access Review blade under the management menu.

On the Access Reviews blade we see a listing of the access reviews in progress. You can see I setup an access review for users that are members of the Global Admins role. On the top we have the menu options to start a new access review, filter what access reviews are displayed, change the way they are grouped, and go back to the Access Review settings I showed earlier.

et’s spin up a new access review for users who are permanent or eligible members of the User Administrators Azure AD role. We click the Add link and a new blade opens where we can configure a number of options. We have the basic options of naming the access review, providing a description, and a start and end date.

I’ve selected the User Administrator role as the role being reviewed during this access review. Notice the Scope option with the Everyone radio button. Perhaps that’s a placeholder for functionality that will be introduced in the future to limit the users within a role that the access review will cover. I’ve selected Homer Simpson to be the reviewer for the role. The advanced settings have inherited the global settings for my tenant for access reviews I covered previously. Once the information is filled in, I hit the start button to kick off the access review.

It takes a few minutes for the access review to be created and then it’s displayed in the listing of access reviews with a status of active.

If we navigate over to Homer Simpson’s Outlook inbox, we see he has received an email informing him an access review has been kicked off and he has been designated as a reviewer and must approve or reject other members’ continued eligibility for the role.

If we delay acting on the access review for a day we receive another reminder email per our settings. The email can be seen below.

If the approvers do not respond to the access review, the review completes but records that none of the users have been reviewed.

Let’s spin up another review and complete this one.

Homer Simpson again receives the notice that an Access Review has been kicked off. Clicking the Start Review button in the email opens up the Azure Portal and the AAD PIM blade. Here Homer gets an overview of the access review including the user who created the review, the length of the review, the description of the review, and the users who are members (permanent or eligible) for the role.

The filter option allows us to filter on the listing of users based upon whether they still need to be reviewed or have been approved or denied.

We first check off Bart Simpson and see that we are required to input a reason for Bart’s approval or denial. I input a reason and choose the deny button. Bart disappears from the menu. If I use the filter option to show all three categories of users, Bart now reappears under the denied category.

I check off both Homer and Marge and provide a reason for both users and hit the approve button. All users have been reviewed by Homer Simpson. After refreshing the page the review now shows 0 users remaining to be reviewed.

Switching over to the browser for the admin user we see that the access review is still open.

If we open the access review we can see that all users have been reviewed even though the review is still active. We have the option to Reset the access review to force the approvers to perform the access review activities again or we can stop it. We’re going to choose end the access review early now that all the reviews have been completed.

Re-opening the access review, we now have the option to apply the results of it. After clicking he Apply button the changes are applied and we’re notified via the Portal notification system.

Navigating to the roles blade under the Manage section now shows only Homer and Marge as being eligible for the User Administrator role verifying that the changes made during the access review have taken effect.

The access review feature is a wonderful addition by Microsoft. Back in the olden days of Windows Active Directory, managing the entire lifecycle of an identity and its entitlements often involved complex third-party identity management solutions in combination with request management system. By including this feature out of the gates, Microsoft is showing a real maturity in its identity offerings.

A Brief Intermission

Before I get into what AAD PIM can do for Azure RBAC, I want to touch on a new feature that went into public preview while I was working on this post. Notice in the Manage section the Roles blade now has a (Preview) notation after it.

Navigating into the blade shows an entirely new interface with far more useful information. We now have a complete list of the roles AAD PIM can manage including descriptions. If we select a role we go a level deeper and can add users to the role as we would expect.

We also have two new menu options for Description and Definition. The Description blade opens up and gives us a link to the Microsoft documentation on the role as well as every permissions the role has (AWESOME!). The Definition blade gives us a JSON view of the role information. Perhaps we’ll be able to create custom AAD / O365 roles in the future and we’ll be able to use these JSON views as ARM templates? Time will tell.

The introduction of this new feature is a great demonstration of how quickly things change in the cloud.

AAD PIM and Azure RBAC

Most organizations consuming Microsoft cloud services don’t just consume Office 365. These organizations want to yield the benefits of the infrastructure-as-a-Service (IaaS) and platform-as-a-Service (PaaS) services provide by Microsoft’s Azure offering. Managing authorization in Azure is handled through Azure Role-Based Access Control (RBAC). In short, Azure RBAC provides a method of authorizing a security principal (user, group, or service principal) to perform an action on a resource (VM, storage account, Azure SQL, etc) based upon membership in a role. Out of the box Microsoft provides a few roles such as owner, reader, and contributor. You can also create custom roles to fit your business needs.

Similar to Office 365 prior to AAD PIM, preventing standing access of security principals in Azure RBAC roles was left to custom scripts and third-party solutions. Last year it was announcedthat AAD PIM capabilities were being extended to Azure RBAC. The integration of AAD PIM and Azure RBAC become generally available in the commercial offering of Azure AD in May of 2018.

For this demonstration I’m going to switch over to my Geek In The Weeds tenant. Recall that the tenant is a synchronized and federated tenant using Azure AD Connect and Active Directory Federation Services. I’ve already activated AAD PIM for the tenant so I’ll be jumping right into its integration with Azure RBAC.

After logging into the portal as a user who has permanent membership in the Privileged Role Administrator role I’m faced with the standard admin view of AAD PIM. In the Manage menu I’m going to select the Azure resources option.

If this is your first time using AAD PIM with Azure RBAC you’ll need to go through the discovery stage. This will discover Azure Resources that you have write permissions to and thus have the ability to manage privileged access to. After discovery is complete you’ll see a screen similar to the below. You can see that my user is a member of the owners role for the Visual Studio Enterprise Azure subscription and that there are 77 roles defined for the subscription with three security principals holding one or more roles.

Selecting the subscription resource gives us a dashboard displaying key metrics about PIM activity within the subscription.

One of the metrics that caught my eye was the single user in the User Access Administrator role. Selecting that area of the dashboard opens a new blade which lists out the members of the role. We can see the service principal for PIM has been added to the User Access Administrator role to grant the service permissions to administer the roles within the resource (in this case a subscription).

Notice also that the PIM menu for managing Azure AD/Office 365 differs for the menu for managing Azure RBAC. We see that the new Role options I outlined above haven’t been migrated to the Azure RBAC integration yet. Additionally we see that the request approval workflow is still in public preview in Azure RBAC. In the Azure RBAC menu we also get a Resource Audit log which details PIM activity within the resource.

Notice also that the general Settings option isn’t present in the Azure RBAC menu. Instead we have a Role Settings option. Selecting this option opens a new blade that lists out the Roles associated with the Resource. Selecting any of the resources opens a new blade where we have the options of configuring a large selection of options for the role for both assignment (making the user eligible or a permanent member) as well as activation. If you recall the configurable options for the Azure AD / Office 365 roles, these are far more granular. The additional flexibility makes sense because these roles are going to managing IaaS and PaaS resources which are much more catered to programmatic access by non-humans. The non-human access tends to be much more predictable than human access, so enforcing controls such as temporary eligibility for a role makes a lot of sense.

Let’s take a look at what the experience is adding a user to one of the RBAC roles. The process is very similar to AAD PIM with Azure AD / Office 365 in that we select the Roles option from the Manage section. For this demonstration I’m going to add a user to the Virtual Machine Contributor role.

Clicking the Add Member option allows me to assign Ash Williams as an eligible member of the role. Notice the additional option called Set membership settings. Here I can set a timespan that Ash is eligible for the role. This option isn’t available in AAD PIM for Azure AD / Office 365 that I could see.

After hitting the add button Ash is successfully added as a Direct member to the role. Notice that I can also add groups as members of the Role. This is another capability unit to the Azure RBAC integration.

Let’s go through the user experience for activating a role. For the sake of simplicity I’m going to cover differences in the user experience. You can reference my third post if you’re curious of the full user experience.

At this point I’ve logged into a virtual machine as Ash Williams and have authenticated to the Azure Portal. I’ve entered the Azure resources blade. Here we see the user being informed that no Azure resources are protected by PIM. In this instance hitting the Discover resources permission will not update this menu because Ash Williams isn’t a member of any role that would grant him write permissions on an Azure Resource. Instead I’m going to click the Activate Role button.

After clicking the Activate role button I’m shown the roles Ash Williams is eligible to activate. Notice Ash has the ability to activate the role due to both his direct membership and his membership in the GIW AIP Users group. I’d recommend leveraging groups for this access where possible so you don’t get in the situation where you grant a security principal longer access to the role than you wanted due to a direct role assignment situation.

he activation experience and approval experience is the same from this point forward so I’m going stop here.

Summing It Up

I really enjoyed this blog series. I hadn’t done a deep dive into AAD PIM since it was in public preview and much has changed since then. I really like how Microsoft is finally exposing capabilities which have historically been more Azure AD / Office 365 centric to Microsoft Azure. It’s an excellent marketing tool for companies who may already be using Office 365 but are using another cloud provider for IaaS and PaaS. The product team has also done great job integrating much needed features such as approval workflows, access reviews, and metrics.

I’m not going to have the time to do a post about the AAD PIM PowerShell module but I recommend you check it out if you have some bandwidth. There are some great opportunities there to integrate PIM functionality with third party workflow management tools to automate the entire user experience behind a GUI you users are already familiar with.

That wraps up my series on Azure AD Privileged Identity Management. I hope you enjoyed it as much as I did.

See you next post!

Exploring Azure AD Privileged Identity Management (PIM) – Part 3 – Deep Dive

Posted on June 6, 2018 by mattfeltonma

Welcome back fellow geeks to my third post on my series covering Azure AD Privileged Identity Management (AAD PIM). In my first post I provided an overview of the service and in my second post I covered the initial setup and configuration of PIM. In this post we’re going to take a look at role activation and approval as well as looking behind the scenes to see if we can figure out makes the magic of AAD PIM work.

The lab I’ll be using consists of a non-domain joined Microsoft Windows 10 Professional version 1803 virtual machine (VM) running on Hyper V on my home lab. The VM has a local user configured that is a member of the Administrators group. I’ll be using Microsoft Edge and Google Chrome as my browsers and running Telerik’s Fiddler to capture the web conversation. The users in this scenario will be sourced from the Journey Of The Geek tenant and one will be licensed with Office 365 E5 and EMS E5 and the other will be licensed with just EMS E5. The tenant is not synchronized from an on-premises Windows Active Directory. The user Homer Simpsons has been made eligible for the Security Administrators role.

With the intro squared away, let’s get to it.

First thing I will do is navigate to the Azure Portal and authenticate as Homer Simpson. As expected, since the user is not Azure MFA enforced, he is allowed to authenticate to the Azure Portal with just a password. Once I’m into the Azure Portal I need to go into AAD PIM which I do from the shortcut I added to the user’s dashboard.

Navigating to the My roles section of the menu I can see that the user is eligible to for the Security Administrator Azure Active Directory (AAD) role.

Selecting the Activate link opens up a new section where the user will complete the necessary steps to activate the role. As you can see from my screenshot below, the Security Administrator role is one of the roles Microsoft considers high risk and enforces step-up authentication via Azure MFA. Selecting the Verify your identity before proceeding link opens up another section that informs the user he or she needs to verify the identity with an MFA challenge. If the user isn’t already configured for MFA, they will be setup for it at this stage.

Homer Simpson is already configured for MFA so after the successful response to the MFA challenge the screen refreshes and the Activation button can now be clicked.

After clicking the Activation button I enter a new section where I can configure a custom start time, configuration an activation duration (up to the maximum configured for the Role), provide ticketing information, and provide an activation reason.. As you can see I’ve adjusted the max duration for an activation from the default of one hour to three hours and have configured a requirement to provide a ticket number. This could be mapped back to your internal incident or change management system.

After filling in the required information I click the Activate button, the screen refreshes back to the main request screen, and I’m informed that activation for this role requires approval. In addition to modifying the activation and requiring a ticket number, I also configured the role to require approval.

At this point I opened an instance of Google Chrome and authenticated to Azure AD as a user who is in the privileged role administrator role. Opening up AAD PIM with this user and navigating to the My roles section and looking at the Active roles shows the user is a permanent member of the Security Administrators, Global Administrators, and Privileged Role Administrators roles.

I then navigate over to the Approve requests section. Here I can see the pending request from Homer Simpson requesting activation of the Security Administrator role. I’m also provided with the user’s reason and start and end time. I’d like to see Microsoft add a column for the user’s ticket number. My approving user may want to reference the ticket for more detail on why the user is requesting the role

At this point I select the pending request and click the Approve button. A new section opens where I need to provide the approval reason after which I hit the Approve button.

After approving the blue synchronization-like image is refreshed to a green check box indicating the approval has been process and the user’s role is now active.

If I navigate to My audit history section I can see the approval of Homer’s request has been logged as well as the reasoning I provided for my approval.

If I bounce back to the Microsoft Edge browser instance that Homer Simpsons is logged into and navigate to the My requests and I can see that my activation has been approved and it’s now active.

At this point I have requested the role and the role has been approved by a member of the Privileged Role Administrators role. Let’s try modifying an AIP Policy. Navigating back to Homer Simpsons dashboard I select the Azure Information Protection icon and receive the notification below.

What happened? Navigating to Homer Simpsons mailbox shows the email confirming the role has been activated.

What gives? To figure out the answer to that question, I’m going to check on the Fiddler capture I started before logging in as Homer Simpson.

In this capture I can see my browser sending my bearer token to various AIP endpoints and receiving a 401 return code with an error indicating the user isn’t a member of the Global Administrators or Security Administrators roles.

I’ll export the bearer token, base64 decode it and stick it into Notepad. Let’s refresh the web page and try accessing AIP again. As we can see AIP opens without issues this time.

At this point I dumped the bearer token from the failure and the bearer token from a success and compared the two as seen below. The IAT, NBF, and EXP are simply speak to times specific to the claim. I can’t find any documentation on the aio or uti claims. If anyone has information on those two, I’d love to see it.

I thought it would be interesting at this point to deactivate my access and see if I could still access AIP. To deactivate a role the user simply accesses AAD PIM, goes to My Roles and looks the Active Roles section as seen below.

After deactivation I went back to the dashboard and was still able to access AIP. After refreshing the browser I was unable to access AIP. Since I didn’t see any obvious cookies or access tokens being created or deleted. My guess at this point is applications that use Azure AD or Office 365 Roles have some type of method of receiving data from AAD PIM. A plausible scenario would be an application receives a bearer token, queries Azure AD to see if the user is in one a member of the relevant roles for the application. Perhaps for eligible roles there is an additional piece of information indicating the timespan the user has the role activated and that time is checked against the time the bearer token was issued. That would explain my experience above because the bearer token my browser sent to AIP was obtained prior to activating my role. I verified this by comparing the bearer token issued from the delegation point at first login to the one sent to AIP after I tried accessing it after activation. Only after a refresh did I obtain a new bearer token from the delegation endpoint.

Well folks that’s it for this blog entry. If you happen to know the secret sauce behind how AAD PIM works and why it requires a refresh I’d love to hear it! See you next post.

Exploring Azure AD Privileged Identity Management (PIM) – Part 2 – Setup

Posted on May 29, 2018 by mattfeltonma

Welcome back to part 2 of my series on Azure Active Directory Privileged Identity Management (AAD PIM). In the first post I covered the basics of the service. If you haven’t read it yet, take a few minutes to read through it because I’ll be jumping right into using the service going forward. In this post I’m going to cover the setup process for AAD PIM.

Before you can begin using AAD PIM, you’ll need to purchase a license that includes the capability. As we saw in my last post, at this time that means a standalone Azure AD Premium P2 or Enterprise Mobility + Security E5 license. Once the license is registered as being purchased by your tenant, you’ll be able to setup AAD PIM.

Your first step is to log into the Azure Portal. After you’ve logged in you’ll want to click the Create a Resource button and search for Azure AD Privileged Identity Management.

Select the search result and AAD PIM application will be displayed with the Create button. Click the create button to spin the service up for your tenant.

It will only take a few seconds and you’ll be informed the service has successfully been spun up and you’ll be given the option to add a link to your dashboard.

The global admin who added AAD PIM to the tenant will become the first member of the Privileged Role Administrator role. This is a new role that was introduced with the service. Members of this role are your administrators of AAD PIM and has full read and write access to it. Beware that other global admins, security administrators, and security readers only have read access to it. As soon as you successfully spin up the service, you’ll want to add another Privileged Role Administrator as a backup.

Upon opening AAD PIM for the first time, you’ll receive a consent page as seen below. The consent process requires confirmation of the user’s identity using Azure MFA. If the user isn’t enabled for it, it will be configured at this point.

After successfully authenticating with Azure MFA. The screen will update to show the status check was completed as seen below. This is a great example of Microsoft exercising the concept of step-up authentication. The user may have authenticated to the Azure Portal with a password or perhaps a still-valid session cookie. By prompting for an Azure MFA challenge the assurance of the user being the real user is that much higher thus reducing the risk of the user accessing such sensitive configuration options.

After clicking the Consent button the service becomes fully usable. The primary menu options are displayed as seen in the picture below. For the purpose of this post we’re going to click on the Azure AD directory roles option under the Manage section.

The Manage section of the menu is refreshed and a number of new options are displayed. Before I jump into the Wizard, I’ll navigate through each option in the section to explain its purpose.

The Roles option gives us a view of all of the users who are members of privileged roles within Azure AD and Office 365. In the activation column it’s shown as to whether or not the user is a permanent or eligible admin. The expiration column shows any user that is eligible and has actively requested and been approved for temporary access to the privileged role. As you can see from my screenshot from my test tenant I have a number of users in the global admin roles which is a big no no. We’ll remediate that in a bit using the Wizard.

Selecting the Add user button brings up a new screen where new users can be configured for privileged roles. Microsoft has done a good job of giving AAD PIM the capability of managing a multitude of Azure AD and Office 365 roles. Adding users to roles through this tool will make automatically make the user an eligible for the role rather than a permanent member like through other means would.

The Filter button allows for robust filtering options including the permission state (all, eligible, permanent), activation state (all, active, or inactive), and by role. The Refresh button’s function is obvious and the group option allows you to group the data either by user or by role. The Review button allows you to kick off an access review which we’ll cover in a later post. Lastly we have the Export button which exports the data to a CSV.

The Users option under the Manage section presents the same options as the Roles option except it takes a user-centric view.

The Alerts option under the Manage section displays the alerts referenced here. You can see it is alerting me to the fact I have too many permanent global admins configured for my tenant. I also have the option to run a manual scan rather than waiting on the next automatic scan.

The Access Reviews option under the Manage section is used to create new access review. I’ll cover the capability in a future post.

Skipping over the Wizard option for a moment, we have the Settings option. Here we can configure a variety of settings for roles, alerts, and access reviews.

Let’s dig into the settings for roles first.

Here we can configure the default settings for all roles as well as settings specific to one role. When a user successfully activates a privileged role, the membership in that role is time bound with a default of one hour. If after doing some baselining we find one hour is insufficient, we could bump it up to something higher. We can also configure notifications to notify administrators of activation of a role. There is also the option to require an incident or request reference that may map back to an internal incident management or request management system. Azure MFA can be required when a user activates a role. You’ll want to be aware that the MFA setting is automatically enforced for roles Microsoft views as critical such as global administrator.

Finally we have the option to require an approval. If you’ve played around with AAD PIM since preview, you may remember the approval workflow. For some reason the product team removed it when AAD PIM original went general available. This effectively meant users could elevate their access whenever they wanted. Sure they weren’t permanent members but there were no checks and balances. For organizations with a high security posture it made AAD PIM of little value and forced the on-demand management of privileged roles to be done using complicated PowerShell scripts or third-party tools that were integrated with the Graph API. It’s wonderful to see the product team responded to customer feedback and has added the feature back.

Toggling to Enable for the require approval option adds a section where you can select approvers for requests for the role.

Moving on to the Alerts settings we have the ability to configure parameters for some of the alerting as can be seen from the examples below.

The default values for the configurable thresholds around the “There are too many global administrator” should be a good wake up call to organizations as to the risk Microsoft associates with global admin access. The thresholds for the “Roles are being activated too frequently” should be left as the default until the behavior of your user base is better understood. This will help you to identify deviations from standard behavior indicating a possible threat as well as to identify opportunities to improve the user experience by bumping up the activation time span for users holding privileged roles that the hour long default activation time is insufficient.

Lastly we have Access Review settings. Here we can enable or disable mail notifications to reviewers are the beginning and end of an access review. Reminders can also be sent to reviewers if they have no completed a review they are a part of. A very welcome feature of requiring reviewers to provide reasons for approvals of a review. This can be helpful to capture business requirements as to why a user needs continued access to a role. Finally, the default access review duration can be adjusted.

Now on to the Wizard. The Wizard is a great tool to use when you first configure AAD PIM in order to get it up and running and begin capturing behavioral patterns. The steps within the Wizard are outlined below.

The Discover privileged roles step displays a simple summary of the privileged roles in use and the amount of permanent and eligible users. We can see from the below my tenant has exceeded either the 3 global admins or greater than 10% of users default thresholds for the “There are too many global admins” alert. Selecting any of the roles displays a listing of the users holding permanent or eligible membership in the role.

Clicking the next button bring us to the “Convert users to eligible step” where we can begin converting permanent members to eligible members. From a best practices perspective, you should ensure you keep at least two permanent members in the Privileged Role Administrator role to avoid being locked out if one account becomes unavailable. You can see that I’m making Ash Williams and Jason Voorhies eligible members of the global admins group.

After clicking the Next button I’m moved to the “Review the changes to your users in the privileged roles” step. I commit the changes by hitting the OK button and my two users are now setup as eligible members of the roles.

As you’ve seen throughout the post AAD PIM is incredibly easy to configure. I firmly believe that the only successful security solutions moving forward will be solutions that are simple to use and transparent to the users. These two traits will allow security professionals to focus less of their time on convoluted solutions and more time working directly with the business to drive real value to the organization.

I’m going to start something new with a quick bulleted list of key learning points that I came across while performing the lab and doing the research for the post.

AAD PIM can be configured after the first Azure AD Premium P2 or EMS E5 license is associated with the tenant
Be aware that at this time Microsoft does not enforce a technical control to prevent all users from benefiting from PIM but the licensing requirements require an individual license for each user benefitting from the feature. Make sure you’re compliant with the licensing requirements and don’t build processes around what technical controls exist today. They will change.
Once AAD PIM is activated by the first global admin, immediately assign a second user permanent membership in the Privileged Role Administrators role.

That’s it folks. In the next post in my series I’ll take a look at what the user experience is like for a requestor and approver. I’ll also look at some Fiddler captures to see I capture any detail as to how/if the modified privileges are reflected in the logical security token.

Thanks!

Exploring Azure AD Privileged Identity Management (PIM) – Part 1

Posted on May 25, 2018 by mattfeltonma

We’re going to take a break from Azure Information Protection and shift our focus to Azure Active Directory Privileged Identity Management (AAD PIM).

If you’ve ever had to manage an application, you’re familiar with the challenge of trying to keep a balance between security and usability when it comes to privileged access. In many cases you’re stuck with users that have permanent membership in privileged roles because the impact to usability of the application is far too great to manage that access on an “as needed basis” or as we refer to it in the industry “just in time” (JIT). If you do manage to remove that permanent membership requirement (often referred to as standing privileged access) you’re typically stuck with a complicated automation solution or a convoluted engineering solution that gives you security but at the cost of usability and increasing operational complexity.

Not long ago the privileged roles within Azure Active Directory (AAD), Office 365 (O365), and Azure Role-Based Access Control had this same problem. Either a user was a permanent member of the privileged role or you had to string together some type of request workflow that interacted with the Graph API or triggered a PowerShell script. In my first entry into Azure AD, I had a convoluted manual process which involved requests, approvals, and a centralized password management system. It worked, but it definitely impacted productivity.

Thankfully Microsoft (MS) has addressed this challenge with the introduction of Azure AD Privileged Identity Management (AAD PIM). In simple terms AAD PIM introduces the concept of an “eligible” administrator which allows you to achieve that oh so wonderful JIT. AAD PIM is capable of managing a wide variety of roles which is another area Microsoft has made major improvements on. Just a few years ago close to everything required being in the Global Admin role which was a security nightmare.

In addition to JIT, AAD PIM also provides a solid level of logging and analytics, a centralized view into what users are members of privileged roles, alerting around the usage of privileged roles, approval workflow capabilities (love this feature), and even provides an access review capability to help with access certification campaigns. You can interact with AAD PIM through the Azure Portal, Graph API, or PowerShell.

To get JIT you’ll need an Azure Active Directory Premium P2 or Enteprise Mobility and Security E5 license. Microsoft states that every use that benefits from the feature requires a license. While this is a licensing requirement, it’s not technically enforced as we see in my upcoming posts.

You’re probably saying, “Well this is all well and good Matt, but there is nothing here I couldn’t glean from Microsoft documentation.” No worries my friends, we’ll be using this series to walk to demonstrate the capabilities so you can see them in action. I’ll also be breaking out my favorite tool Fiddler to take a look behind the scenes of how Microsoft manages to elevate access for the user after a privileged role has been activated.

Journey Of The Geek

The chronicles of a Bostonian tech geek navigating through life, technology, and general geekiness.

Tag Archives: azure ad privileged identity management