top of page
  • Writer's pictureJames Agombar

Configuring Azure PIM with Security Groups

So firstly what is Azure PIM?

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.

Source: Microsoft

Why Should I use it?

Azure PIM provides better ways to control who has access to what, when and for how long. As well as requiring justification, an approval process and audit trail too.

Here's a breakdown of capabilities;

  • Provide just-in-time privileged access to Azure AD and Azure resources

  • Assign time-bound access to resources using start and end dates

  • Require approval to activate privileged roles

  • Enforce multi-factor authentication to activate any role

  • Use justification to understand why users activate

  • Get notifications when privileged roles are activated

  • Conduct access reviews to ensure users still need roles

  • Download audit history for internal or external audit

  • Prevents removal of the last active Global Administrator and Privileged Role Administrator role assignments

Are there any Pre-requisites?

As always with Microsoft security products, there's a cost associated with PIM and you'll need the Azure P2 licence for any account using PIM. Personally I think these sorts of capabilities should be either free of at a maximum require P1 licences, but hey ho!

What's the best way to configure PIM?

I guess how long is a piece of string? It depends on what your requirements are, risk factors, scope of personnel etc. With PIM you can make things as tightly locked down or flexible as needed. Just be mindful there's a fine balance between security and useability in the business world. Yes our system could be tightly locked down, but getting access approved quickly is an utter nightmare....

So for this example I'm going to demonstrate configuring PIM with the use of Security Groups.

Why this method?

Well, assigning roles to group can be really easy to manage if you've providing access to support teams, say Tier 1, 2 & 3 or Security Analysts perhaps? Once the groups are set up, all you have to do is assign the individual to the correct group and you're done. Whereas if you were assigning individual roles, the time needed could be greater and add risk of incorrect assignment.

Ok! So lets crack on and create a new Security Group in Azure AD. For this example I've named the group "Security Analysts" and selected Yes for "Azure AD roles can be assigned to the group" and click Create.

Click Yes when prompted .

Ok, next in the Azure AD menu, click on Roles and Administrators and choose a role you're going to assign to the new group. For this I'm choosing Security Reader. Click the role

On the Assignments screen, click Add assignments.

Under Select memeber(s), click No member selected.

Select the new Security Analysts group, click the Select button, then click Next.

Now here's where you start setting the type of access you want to assign. PIM provides two main types, Active and Eligible.

Active roles are permanently available roles, and don't require any request to activate. Whereas Eligible roles WILL require some form of access request through the Azure portal.

Both types of access can also be permanently assigned or for a set period of time. For example, you might only want the role assigned for 6 months to a group or individual.

Still with me?

Ok, for the Security Reader role in this example I'm assigning it as permanently Active to the Security Analyst group with an added justification.

When complete, you'll go back to the previous screen which will now show the Security Analysts group under Active assignments.

Ok now, lets have a go at assigning a role as Eligible. So go back to the Azure AD menu, select Roles and administrators then click Security Operator.

On the following screen, click Add assignments.

On the Add assignments screen, select Eligible and make the role Permanently eligible. Choose the Security Analyst group as previously done and click Create.

Congratulations, you'll now see the Security Analyst group under the Eligible assignments menu.

Time to Configure PIM!

This is where you start doing all the good stuff and fine tuning PIM. But first we need to onboard the Security Groups that PIM will manage.

Within Azure Privileged Identity Management, click on Groups in the menu and then Discover Groups.

Tick the Security Analysts group and then click Manage groups above.

Click Ok.

Now go back to the Groups option and you'll see the Security Analysts group listed.

Now click on the Security Analysts group and then click Settings.

This is where you're going to fine tune Azure PIM for each of the security groups you've set up. For this example I'm setting Activation of Eligible roles to 8 hours. This means once you active an eligible role, you have 8 hours to use it, after which time, access will be revoked.

When a role is activated, do you want to enforce MFA or Conditional Access authentication context?

Do you want the person to provide a justification as to why they need access, support ticket details or even require approval during the activation process?

All of these are incredibly important, but take in to account factors within the business and the ability to respond to an urgent incident. Don't get caught up in unnecessary delays when your support teams need access ASAP!

On the Assignment screen, you can make changes to whether you want Active and Eligible assignments permanently assigned or expire after an set time, along with requesting MFA and justification on an Active assignment.

On the final screen, here's where you set all your notification options. You can either leave them all default, or perhaps you want specific individuals or shared mailboxes to receive notifications.

My advice is have a think about it and talk to the necessary teams. Security will most likely love you a great deal if you give them this type of capability, so make sure you sell this!

And that's it for the fundamentals.

There is more to cover off around ongoing management of PIM and of course the ability to add Azure Resource roles to PIM, so I might look at writing another blog in the new future on those.

Let me know if you've found this useful or have any additional suggestions to using Azure PIM.

1,036 views0 comments


bottom of page