Introduction
Azure AD privileged identity management (AD PIM) service is used to control access permissions for privileged users. This service provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources.
Why should we use this service and when it is useful?
Let's consider you are a global administrator and in your department, a user has privilege access onto various Azure resources like Azure SQL database or storage account and users can do anything with those resources i.e. kind of high level of privilege.
Now let's say after a month or two, this user moves out from this department. Now global administrator’s responsibility to ensure that all the permissions of that user are revoked.
Sometimes when the number of users starts increasing into the department, removing the user privilege rarely gets implemented. Giving permissions to users is very easy but sometimes the administrator might forget to remove the permissions for the unauthorized users.
In this scenario, we can make use of Azure AD privilege identity management.
Using this service, we can provide time-based and approval-based role activation to the user.
The eligible user goes ahead and takes an elevated role that could be used to access either resources in Azure or you as a global administrator could also use Azure AD privilege identity management to allow users to assign roles in Azure AD.
Key features of Privileged Identity Management
Instead of actually providing onetime complete access onto Azure AD or Azure resources, you can provide it just in time access by using Azure Privileged Identity management.
- We can assign time-bound access to resources using start and end dates. You can also ensure that approval is required to activate any of these privileged roles.
- We can enforce multi-factor authentication to activate any role.
- We can also ensure that you get a notification when privilege roles are activated.
- We can conduct access reviews to ensure users still require the roles.
Implementing Azure AD PIM for Azure Resources
To enable Privileged Identity management for Azure Recourses, you need to first log in as the Global Administrator for the directory. You should have Azure AD Premium P2 licenses to use of PIM.
Search for Privileged Identity Management in Azure Portal => Then go to Azure resources.
First, we need to discover the resources as part of your different subscriptions. Click on “Discovery resources” => choose your subscription => click on “managed resource”.
Now go back to Azure resources and you can see your subscription in place. Now we are ready to manage those resources by PIM.
Modify Role Settings of your Subscription (Optional)
Now go onto the subscription. If you click on the role section, those are role-based access control and all of the roles that can be assigned to users to authorize the use of resources that are part of your Azure subscription.
If you want to modify role settings of one of the roles (let’s say Storage Account Contributor), go to Settings and change the role setting for the Storage Account Contributor.
Now edit the role settings of Storage Account Contributor Role. Modify and update the setting based on your need for Activation/Assignment.
In the Activation tab, there is a maximum duration option. So this role will only be active for a duration of eight hours. That means that users can now take up this role and that would be only eligible for a duration of eight hours.
In the Assignment tab, I am not allowing for permanent eligible assignment and restricting access to activate within 3 months only.
So far we have modified one of the RBAC role called “Storage Account Contributor” and not allowing permanent eligible assignment.
Assigning Role to User
Now we will assign this role to a user.
First, go to Roles and search for the Storage Account Contributor role. Select that role and click on Add assignments.
On Add Assignment screen, select a member to assign the role.
Now in the settings tab, you have different settings in place.
If you want to assign the role directly onto the user, then choose the assignment type as Active.
If you want to ensure that a user is eligible to take up a role, then you can choose the assignment type as Eligible. In this case, users need to Activate the role.
Here, I am selecting the assignment type as Eligible.
Please make sure that the difference between Assignment starts to date and the Assignment ends should not exceed more than 3 months. This is because we modified Storage Account Contributor role settings in earlier steps.
After assigning the role to the user, we can see the relevant membership status for the user under “Eligible assignments”.
So far we have modified RBAC role settings and assigned that role to a user as eligible. In order to get access, users need to activate the role.
Activate role from Privileged User
Now go ahead and log in to the Azure portal with your privileged user (in my case User Three) and activate the role.
Once you navigate to Privileged Identity Management and click on My roles => Click on Azure resources => Activate.
Approve Access Request from Global Administrator
Now the global administrator can approve the request from the approve request tab.
Now the privileged user has successfully assigned the Storage Account Contributor role.
Remember that once the role is expired after eight hours (as per settings), then the user can again go ahead and activate the role. But remember the role can only be activated between that start and end date.
Excellent! We have seen a demonstration of how to assign time-bound access to resources using start and end dates in Azure AD PIM. Also, we have ensured that approval is required to activate any of these privileged roles.
I hope you find this information useful!