Cloud Build

Microsoft Azure, 365 and all things Tech

Skip to content
  • About Me
  • Terms
  • Privacy
  • Contact Us

azure pim AD roles step by step

How to configure Azure AD roles in Privileged Identity Management (PIM)

Posted on February 20, 2021 by Imran Rashid
Reading Time: 11 minutes

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organisation.

Privileged Identity Management provides time based and approval based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management:

  • Provide just-in-time privileged access to Azure AD and Azure resources
  • Assign time-bound access to resources using start and end dates
  • Require approval to activate privileged roles
  • Enforce multi-factor authentication to activate any role
  • Use justification to understand why users activate
  • Get notifications when privileged roles are activated
  • Conduct access reviews to ensure users still need roles
  • Download audit history for internal or external audit

Privileged Identity Management licence requirements

  • Azure AD Premium P2 or Enterprise Mobility + Security (EMS) E5

Ensure that your directory has at least as many Azure AD Premium P2 licenses as you have employees that will be performing the following tasks:

  • Users assigned as eligible to Azure AD or Azure roles managed using PIM
  • Users who are assigned as eligible members or owners of privileged access groups
  • Users able to approve or reject activation requests in PIM
  • Users assigned to an access review
  • Users who perform access reviews

Azure AD Premium P2 licenses are not required for the following tasks:

  • No licenses are required for users who set up PIM, configure policies, receive alerts, and set up access reviews.

It can become confusing when working out the number of Azure AD P2 licences required so Microsoft have provided examples at the following link: Azure PIM Example Licence Scenarios

In this blog post I will go through the process of configuring Azure AD Roles in Privileged Identity Management (PIM). I will grant a user named Joe Bloggs eligible assignment for one of my Azure admin roles.

As mentioned above, to use PIM you must have an Azure AD P2 or Enterprise Mobility + Security (EMS) E5 licence. I currently have access to an E3 license which grants me access to an Azure AD P1 licence which is obviously not sufficient.

If you already have access to Azure AD P2, skip to the next section by scrolling down to section Configuring Azure Privileged Identity Management (PIM)

  1. Firstly, I will sign up to a free 90 day Enterprise Mobility + Security (EMS) E5 trial account. As you can see from the screenshot below my licence assignment is currently Azure AD Premium P1.

and if I attempt to access PIM, I receive the message below

Microsoft offer trials for a number of their products including Azure AD P2 which will allow you to test Azure PIM. I’ll start with activating a free trial which can be ready within minutes as you’ll find out shortly.

2. Access Azure AD, click Licenses, click All products and click the + Try / Buy button as highlighted below

3. Enterprise Mobility + Security E5 includes Azure AD P2 and Microsoft offer a 90 day trial so I selected this option. I’ll be going through further demo’s at a later date which require Enterprise Mobility + Security E5 so this licence will be useful.

4. Click Free Trial under the licence you wish to activate. In my case I clicked Free trial under Enterprise Mobility + Security E5

5. Click Activate

6. Wait for the product to activate which should take seconds

7. After activation my licence status still shows as Azure AD P1

8. Log out of the portal and back in and the correct version is now displayed

That’s the free trial sorted

Configuring Azure AD Roles – Azure Privileged Identity Management (PIM)

  1. Log into the Azure Portal (portal.azure.com)
  2. Search PIM and select Azure AD Privileged Identity Management

3. Click Azure AD roles

4. Click Assignments

5. I don’t have any assignments at the moment, click +Add Assignments

6. Select a role and member

For the purpose of this demo, I have selected the role Global Administrator and selected an existing user named Joe Bloggs from my directory. Click Next

7. For the purpose of this demo, I will select Eligible and leave the default at permanently eligible.

Eligible
A role assignment that requires a user to perform one or more actions to use the role. If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks. There’s no difference in the access given to someone with a permanent versus an eligible role assignment. An eligible administrator can activate the role when they need it, and then their permissions expire at a set time, until the next time the role is activated. The only difference is that some people don’t need that access all the time. So in my case, Joe Bloggs will be eligible which means he will request access each time he requires access to the Global Administrator role (Default limit for 8 hours and his permissions will be removed until he activates again). Permanently eligible which means he will be allowed to continue to activate the role when he needs to perform privileged tasks. A permanently eligible end date can be configured, for example, users can activate access for 8 hours at a time for up to 1 year instead of being able to activate the role continuously without an end date. I’ll cover more on this as we move on.

Active:
This is a role assignment that doesn’t require a user to perform any action to use the role. Users assigned as active have the privileges assigned to the role at all times but can be setup so access is removed at a certain date.

Continuing with Active Assignment, this options provides a user with permanent access or up to a date set by the administrator. See screenshot below. In this case, the user will have access to the role assigned permanently or by a set expiry date. A further text box appears as shown below requesting a justification on why the admin is granting the user with an active assignment.

8. For the purpose of this demo, I have selected eligible. Click Assign when ready

9. Now that Joe Bloggs has been granted an eligible assignment, I will log in as Joe Bloggs and demonstrate what Joe Bloggs will see.

10. When logging in as Joe Bloggs, I am prompted to enable MFA.

11. MFA configured, I can now move on to logging in as Joe Bloggs. Now that I am logged in, Joe Bloggs is still a basic user without global admin permissions, which is normal. He can’t create accounts within Azure AD or perform any other administrative tasks which require elevated permissions. Access is disabled.

12. Joe Bloggs will need to activate his eligible assignment within PIM. Whilst still logged in as Joe Bloggs, I search for PIM and click Azure AD Privileged Identity Management

13. Click My roles

14. The eligible assignment is displayed with an Activate link as shown below. Click Activate

If the user skipped MFA at the initial logon stage, as shown in the screenshot below, the user will be prompted to authorise via MFA which is enforced by a default enabled setting within PIM. I’ll explain where this option is found shortly. If you wish to disable the below 14 day reminder, you can have a read of the following link later – Disable Skip MFA prompt

15. After clicking activate, Joe Bloggs receives the below prompt

Duration: maximum of 8 hours access. After the 8 hours, Joe Bloggs access will be revoked and he will have to activate his assignment again. Joe Bloggs was allowed permanent eligibility which allows him to activate his eligible assignment when required.

Custom activation: If Joe Bloggs requires admin access in the future, he could select the option Custom activation start time and select a date and time he would like his 8 hours access to begin. In the example below, I have configured the time for a time in the past.

16. When ready, click activate

17. Activation has been scheduled

If I check access from my account, i’ll find that Joes Bloggs has been granted access without any further action required from me

Location: Access PIM > Click Azure AD Roles > Pending Access

From here you could also cancel Joe Bloggs access by clicking the Cancel link

That’s the default settings but what if you wish to increase the default 8 hour access limit? Or you would like for the request to go to a team of approvers for review before Joe Bloggs is granted access? or you require 8 hours access for the Global Administrator role but 10 hours access for the Exchange Administrator role. Let’s move onto where these settings are configured.

Configuring Azure AD Privileged Identity Management Azure AD role settings

  1. Click Azure AD Privileged Identity Management

2. Click Azure AD roles

3. Click Settings

4. Here you can apply different configuration settings based on roles. For the purpose of this demo, I will be configuring the Global Administrator role.

5. After clicking the Global Administrator Role, you’ll find the below settings. Review and click Edit

6. The first windows displays a number of settings including the default 8 hour access. You can extend this to 24 hours if required

Azure MFA is enabled by default, which enforces MFA while activating the assignment.

Require justification: requests a reason why the user requires access

Require ticket information: you may have a process where the user requiring access needs to input a ticket or change number

Require approval to activate: this feature is an important one. Setting approvers adds an additional check before a users assignment is activated. The request goes into a pending approval list after the user activates the assignment which allows a approver to review access and deny or approve access accordingly.

Note: each approver will need to be assigned an Azure AD P2 licence

To allow me to demo the approval process, I have enabled require approval to activate and added a single user as an approver.

Before I move on and demo the approval process, clicking the assignments button moves us onto the next screen below. You may wish to leave the defaults or set an expiry. For example, you could configure the below policy so that users will be eligible to elevate their account into the role assigned for one year instead of being eligible forever. The same applies for the active role.

Finally, the next screen is where you can configure email notifications

7. When ready, click the update button. Note the below fields which can be useful.

We can now move on and test the approval process.

Azure AD PIM Approval demo

  1. I granted Joe Bloggs an eligible assignment earlier. The new settings I configured above will apply to Joe on his next eligible assignment activation.
  2. I log in as Joe Bloggs
  3. Click Azure PIM
  4. Click My Roles
  5. Click Activate

6. Type in justification details and click activate

7. After clicking activate, Joe Bloggs is not granted access immediately. His request is pending approval as shown below

8. The admin allocated as a approver earlier must review the request and decide whether to approve or deny access. Back over to my account where I will review Joe Bloggs access. I will also receive an email to notify me that there is a request pending.

Access PIM > Azure AD Roles > Approve requests

9. Here is the pending request where I can review each case.

Note: Clicking approve or deny opens the window below allowing you review the details fully without having to expand the tabs above. A justification needs to be provided.

10. And Joes Bloggs access is approved. He will be granted access for 8 hours and does not need to take any further action to activate the role.

A complete audit of all actions carried out in PIM Azure AD Roles can also be located at: PIM > Azure AD Roles > Audit

Using Azure Active Directory (Azure AD) Privileged Identity Management (PIM), you can also improve the protection of your Azure resources and as you can see below Privileged access groups which was in preview at the time of writing this post.

Azure PIM also offers Access Reviews. Access to privileged Azure resource roles for employees changes over time. To reduce the risk associated with stale role assignments, you should regularly review access. You can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to create access reviews for privileged Azure resource roles. You can also configure recurring access reviews that occur automatically. I will cover these topics in a further post.

Note: Azure AD P2 licences are required within your directory for users assigned to an access review and users who perform access reviews.

Feedback welcome, please comment below. It would also be great to hear about your experience using Azure PIM.



Posted in Azure Microsoft 365
Tagged azure pim AD roles step by step azure PIM licence requirement difference between eligible and active azure PIM how to configure Azure PIM how to get a free 365 e5 licence how to get a free azure ad p2 licence how to get free microsoft 365 e5 how to sign up to free azure ad p2
Leave a comment

Search

Top 50 Azure Blog

Subscribe to new posts

Keep up to date on the latest articles. We will never spam you or forward your details to third parties.

Name

Email


Certifications

  • azure-solutions-architect-expert-600×600
  • azure-security-engineer-associate600x600
  • azure-administrator-associate
  • NCDA-7-Mode_352x352
  • Designing+and+Deploying+Microsoft+Exchange+Server+2016-01
  • Microsoft_Exam533
  • Microsoft_Exam534
  • MCSA-Cloud-Platform-2018
  • azure-solutions-architect-expert-600×600
  • CERT-Associate-Microsoft365-Teams-Administrator
  • MS-100-exam
  • exam-ms100_1-600×600
  • microsoft365-enterprise-adminstrator-expert-600×600
  • microsoft365-messaging-administrator-associate-600×600

Recent Posts

  • Part 4: Terraform with Azure – How to install Azure Terraform Plugin in Visual Studio Code April 10, 2021
  • Part 3: Terraform with Azure – How to Install Visual Studio Code March 20, 2021
  • Part 2: Terraform with Azure – How to install Azure CLI March 14, 2021
  • Implementing Microsoft 365 Data Loss Prevention (DLP) March 13, 2021
  • HDD performance running at 100% March 7, 2021
  • Configure user and sign-in risk policies in Azure AD Identity Protection March 6, 2021
  • Do not allow users to grant consent to unmanaged applications February 27, 2021
  • How to configure Azure AD roles in Privileged Identity Management (PIM) February 20, 2021
  • Configure mailbox permission alert Microsoft 365 February 13, 2021
  • How to create a dynamic group in Azure AD February 4, 2021
  • Configure Intune device limit restrictions January 31, 2021
  • New Microsoft Exchange Admin Center January 23, 2021
  • Prevent users from downloading files from Microsoft Teams Channel January 16, 2021
  • Increase One Drive For Business default 30 day retention Limit January 9, 2021
  • Revoke Office Apps activation from user device January 7, 2021
  • Prevent users from uploading videos to Microsoft Stream January 3, 2021
  • Top 50 Azure Blogs December 31, 2020
  • Enable Self Service Password Reset in Azure December 29, 2020
  • Configure Conditional Access Policy in Azure December 26, 2020
  • How to assign licenses for Microsoft 365 using a security group December 22, 2020
  • Twitter

Cloud Build

© All rights reserved.

Powered by WordPress

Subscribe to new posts

Name

Email


Recent Posts

  • Part 4: Terraform with Azure – How to install Azure Terraform Plugin in Visual Studio Code
  • Part 3: Terraform with Azure – How to Install Visual Studio Code
  • Part 2: Terraform with Azure – How to install Azure CLI

Cloud Build

  • About Me
  • Contact Us
  • Privacy
  • Terms

Subscribe

Subscribe to new tech posts.
We will never send you spam email or forward your details to third parties.


Name

Email


This will close in 0 seconds

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Performance

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Advertisement

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

SAVE & ACCEPT
error: Content is protected !!