Last updated on 9. October 2022
One of the best and easiest security possibilities is the deployment of PIM (Privileged Identity Management) and I want you to show how I use for customers.
If you want to check out the documentation you can do it here: Privileged Identity Management documentation | Microsoft Docs
So what is PIM and why is it important?
With PIM you have the ability to configure administrative M365 roles and Azure ressources for only a specific time and with an easy approval process. You have a bunch of advantages:
- Provide just-in-time privileged access to resources
- Assign eligibility for membership or ownership of privileged access groups
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multifactor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
What do I need to use it?
To use PIM every user (it seems to be that only every human not every account) needs to have an Azure AD Premium P2 or Enterprise Mobility + Security E5 license to use this feature. It has to be said that this feature is active as soon as one license exist in the tenant and is assigned to a single user but it is not permitted to use it until every user who can ask for roles and permit role usage is licensed.
How can I configure PIM?
Okay lets say you have enough licenses which are assigned and you want to configure PIM. At first you have to decide how you want to do the assignment. In my case it is best to create AAD security groups which can be assigned administrative roles.
Create PIM groups
At first navigate to Azure Active Directory and create a group that match your needs. Be sure to activate in the group creation that you can choose the specific administrative role.
Configure PIM
When we created at least one group that we want to use with PIM we can proceed. At first we must switch to the Azure Portal (https://portal.azure.com) and search for “PIM”. We choose the right service and will say that we want to manage the Azure AD Roles and add an assignment:
In the assignment page we select the Global Administrator role and choose the group we created previously. For the settings we say that this is Eligible. You can see in my screenshot that we get an information, that we can configure this only for three months. We will check after the creation the settings and will change this.
So like I said we have to check the settings and configure that this assignment is permanently eligible. Furthermore we configure that this assignment has to be approved by another user:
If this is done we can check again our assignment and change the setting for permanent eligible assignment:
After this is done we can check our approval process. This will be part of another blog entry you can see here.
[…] PIM configuration […]