Section 2 - Secure access by using Azure AD - How to Configure Azure AD Privileged Identity Management (PIM)
So now when it's enabled, what then?
Search for Privileged in the Azure portal.
Once there, You can see Tasks and Manage on the left.
Let's explain the different options.
| Task + Manage | Description |
|---|---|
| My roles | Displays a list of eligible and active roles assigned to you. This is where you can activate any assigned eligible roles. |
| Pending requests | Displays your pending requests to activate eligible role assignments. |
| Approve requests | Displays a list of requests to activate eligible roles by users in your directory that you are designated to approve. |
| Review access | Lists active access reviews you are assigned to complete, whether you're reviewing access for yourself or someone else. |
| Azure AD roles | Displays a dashboard and settings for Privileged role administrators to manage Azure AD role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization. |
| Azure resources | Displays a dashboard and settings for Privileged role administrators to manage Azure resource role assignments. This dashboard is disabled for anyone who isn't a privileged role administrator. These users have access to a special dashboard titled My view. The My view dashboard only displays information about the user accessing the dashboard, not the entire organization. |
For my Admin account I can see the roles and they are active. So it means I don't have to enable them.
But for a user who doesn't have these Active they will see them as Eligible.
What happens when a user activates their role?
Note that the user has Administrative Unit enabled, which we did enable in the part section of this series.
When the User wanting to active the Eligible role select "Activate" they will be presented with the following. But wait, what is the Additional verification required?
This is what happens.
And we are back in business. Now You have to give a reason why You want this role and You can also give a Custom activation time and a duration for the role to be active.
Let's choose one hour and give a reason.
And it will start activating the role.
Now You have to role but wait nobody had to accept the role elevation?
Making changes to the roles.
Open Manage and Roles, then find the role you had in previous steps.
In here you can see the user as Eligible.
And Actived.
Changing the settings
Choose Role setting and Edit.
In here You can see the same settings offered to the user requesting elevation of rights. And because there is no requirement for Approval, it didn't show up for the user.
Modifying another role
Let's search for Application Developer role and go to Role settings.
In here I can modify the settings fir the Maximum activation time and Approval.
And in the next pane, when to revoke the access. I'm not enabling MFA, it will come in later sections.
And You can choose notification to be sent.
Then You have to add an assignment for a user.
You will add the user but You could also Groups containing users. Remember the Dynamic groups we configured in the last section?
Here is Microsoft's explanation how to use groups to enable roles.
Use Azure AD groups to manage role assignments - Azure Active Directory
But for now I will continue with particular user as it doesn't make any difference in the end.
Choose is the assignment Eligible or Active and how long the role can be elevated.
And now we can see the user with the assignment.
How it differs for the user?
User login to their portal. And voila, there is a new role available.
When user select Active, they will be presented with the following. Note that the duration has been set to the 0,5h we defined earlier (now showing fully but it's there)
Now go as admin to Tasks -> Approve requests -> Azure AD roles and You will find the request here.
Choose request and Approve.
Give justification why You Approved the request. These will be logged to Audit logs.
The Audit logs have the info You entered when accepting.
So, that was PIM, remember couple of things.
Things to remember
Global admins need MFA to be enabled to access PIM.
There is two different types for roles, Eligible and Active. Active is is given automatically and Eligible is requested when needed.
To use Privileged Identity Management, you must have one of the following licenses:
- Azure AD Premium P2
- Enterprise Mobility + Security (EMS) E5
Wow, that was a lot of PIM. Then to the next one.