Through the use of Azure Active Directory (AD) Privileged Identity Management, you can manage, control, and monitor access within your organization to resources in Azure AD, as well as other Microsoft online services such as Office 365 or Microsoft Intune.
Organizations aim to minimize the number of people who have access to secure information and resources in order to decrease the chances of a malicious user gaining access. However, users still need to carry out privileged operations in Azure, Office 365, or SaaS apps. As a result, organizations give users privileged access in Azure AD without monitoring what those users are doing with their admin privileges. Azure AD Privileged Identity Management helps to resolve the risk created by this dilemma.
Azure AD Privileged Identity Management helps you:
Azure AD Privileged Identity Management can manage the built-in Azure AD organizational roles, including (but not limited to):
Historically, users could be assigned to an admin role through the Azure classic portal or Windows PowerShell. As a result, that user becomes a permanent admin, always active in the assigned role. Azure AD Privileged Identity Management introduces the concept of an eligible admin. Eligible admins should be users that need privileged access every now and then, but not all of the time. The role is inactive until the user needs access, then they complete an activation process and become an active admin for a predetermined amount of time.
You can start using Azure AD Privileged Identity Management in the Azure portal. (NOTE: You must be a global administrator with an organizational account, for example, @yourdomain.com, not a Microsoft account - for example, @outlook.com - to enable Azure AD Privileged Identity Management for a directory)
If you're the first person to use Azure AD Privileged Identity Management in your directory, then the security wizard walks you through the initial assignment experience. After that you automatically become the first Security administrator and Privileged role administrator of the directory.
Only a privileged role administrator can manage access for other administrators. You can give other users the ability to manage in PIM.
Azure AD Privileged Identity Manager provides an admin dashboard that gives you important information such as:
With Azure AD Privileged Identity Management, you can manage the administrators by adding or removing permanent or eligible administrators to each role.
Using the role settings you can configure the eligible role activation properties including:
Note that in the image, the buttons for Multi-Factor Authentication are disabled. For certain, highly privileged roles, we require MFA for heightened protection.
To activate a role, an eligible admin requests a time-bound "activation" for the role. The activation can be requested using the Activate my role option in Azure AD Privileged Identity Management.
An admin who wants to activate a role needs to initialize Azure AD Privileged Identity Management in the Azure portal.
Role activation is customizable. In the PIM settings, you can determine the length of the activation and what information the admin needs to provide to activate the role.
There are two ways to track how your employees and admins are using privileged roles. The first option is using Directory Roles audit history. The audit history logs track changes in privileged role assignments and role activation history.
The second option is to set up regular access reviews. These access reviews can be performed by and assigned reviewer (like a team manager) or the employees can review themselves. This is the best way to monitor who still requires access, and who no longer does.
Prior to reaching general availability Azure AD PIM was in preview and there were no license checks for a tenant to preview Azure AD PIM. Now that Azure AD PIM has reached general availability, trial or paid licenses must be assigned to the administrators of the tenant to continue using PIM. If your organization does not purchase Azure AD Premium P2 or your trial expires, mostly all of the Azure AD PIM features will no longer be available in your tenant. You can read more in the Azure AD PIM subscription requirements
Chat with an expert about your business’s technology needs.