What Is Azure AD Privileged Identity Management?
In today’s Ask the Admin, I’ll look at Azure Active Directory (AAD) Privileged Identity Management (PIM) and how it can help protect user identities in the cloud.
Privileged Identity Management is available to AAD Premium P2 subscribers and allows organizations to better control what users are doing with privileged accounts. Just like in an on-premises Active Directory (AD) environment, the use of privileged domain accounts, such as Domain Admins and Enterprise Admins, should be kept to a minimum. To help facilitate that, Windows Server 2016 includes a new feature called Just-In-Time (JIT) administration, which allows users to be granted privileges on a temporary, time-limited basis.
In AAD, Just-In-Time administration allows administrative privileges to be granted ‘on-demand’ to the directory and online services, such as Office 365 and Intune. Much of what Microsoft added to Windows Server 2016 was the result of features that were first appeared in Azure, so it should come as no surprise that JIT administration is also part of AAD. PIM also allows administrators to
- See which AAD users are tenant administrators.
- Run reports detailing changes and access attempts made by administrators.
- Set up alerts for access to privileged roles.
Eligibility and Activation
When PIM is enabled for a tenant, users that occasionally need privileged access can be assigned the role of Eligible admin, and only when they complete ‘activation’ are their accounts granted elevated privileges for a set period. Users activate a role by logging in to the AAD management portal and start the activation process on the Privileged Identity Management panel.
Each role supported by PIM accepts users that are either Permanent or Eligible members of the role. For instance, in the image below, you can see that users assigned the Global Administrator role have Permanent permission, others Eligible.
Roles have activation settings that determine the maximum amount of time for activation, how admins are notified of the activation, whether users requesting activation should provide any additional information such as a request ticket ID, and whether multifactor authentication is required.
Administrators can view activity on the Audit history panel, where changes in privileged role assignment and activation history are recorded. Alternatively, access reviews can be configured, which requires an assigned person to review historical access data and determine who still requires privileged access.
In this article, I explained what AAD Privileged Identity Management is and how it can be used to improve the security of your AAD tenant.
More in Cloud Computing
Microsoft Launches Office 365 Government Secret Cloud to Handle Classified Data
Jan 31, 2023 | Rabia Noureen
What Are the Best Hyperconverged Infrastructure (HCI) Solutions on the Market?
Jan 9, 2023 | Sukesh Mudrakola
Amazon Cuts 18,000 Jobs From its Global Workforce
Jan 9, 2023 | Michael Otey
Using Autodesk Drive to Collaborate on Design and Model Data in the Cloud
Jan 6, 2023 | Siji Roy
Amazon Web Services (AWS): A 2022 FAQ
Dec 22, 2022 | Michael Otey
Microsoft to Roll Out EU Data Boundary Plan for Cloud Services on January 1
Dec 15, 2022 | Rabia Noureen
Most popular on petri