What is Azure AD Privileged Identity Management?

Through the use of Azure Active Directory (AD) Privileged Identity Management, you can manage, control, and monitor access within your organization to resources in Azure AD, as well as other Microsoft online services such as Office 365 or Microsoft Intune.

Organizations aim to minimize the number of people who have access to secure information and resources in order to decrease the chances of a malicious user gaining access. However, users still need to carry out privileged operations in Azure, Office 365, or SaaS apps. As a result, organizations give users privileged access in Azure AD without monitoring what those users are doing with their admin privileges. Azure AD Privileged Identity Management helps to resolve the risk created by this dilemma.

Azure AD Privileged Identity Management helps you:

• See which users are Azure AD administrators
• Enable on-demand, "just in time" administrative access to Microsoft Online Services like Office 365 and Intune
• Get reports about administrator access history and changes in administrator assignments
• Get alerts about access to a privileged role
• Require approval to activate (Preview)

Azure AD Privileged Identity Management can manage the built-in Azure AD organizational roles, including (but not limited to):

• Global Administrator
• Billing Administrator
• Service Administrator
• User Administrator
• Password Administrator

Just in time administrator access

Historically, users could be assigned to an admin role through the Azure classic portal or Windows PowerShell. As a result, that user becomes a permanent admin, always active in the assigned role. Azure AD Privileged Identity Management introduces the concept of an eligible admin. Eligible admins should be users that need privileged access every now and then, but not all of the time. The role is inactive until the user needs access, then they complete an activation process and become an active admin for a predetermined amount of time.

Enable Privileged Identity Management for your directory

You can start using Azure AD Privileged Identity Management in the Azure portal. (NOTE: You must be a global administrator with an organizational account, for example, @yourdomain.com, not a Microsoft account - for example, @outlook.com - to enable Azure AD Privileged Identity Management for a directory)

1. Sign in to the Azure portal as a global administrator of your directory.
2. If your organization has more than one directory, select your username in the upper right-hand corner of the Azure portal. Select the directory where you will use Azure AD Privileged Identity Management.
3. Select More services and use the Filter textbox to search for Azure AD Privileged Identity Management.
4. Check Pin to dashboard and then click Create. The Privileged Identity Management application opens.

If you're the first person to use Azure AD Privileged Identity Management in your directory, then the security wizard walks you through the initial assignment experience. After that you automatically become the first Security administrator and Privileged role administrator of the directory.

Only a privileged role administrator can manage access for other administrators. You can give other users the ability to manage in PIM.

Privileged Identity Management admin dashboard

Azure AD Privileged Identity Manager provides an admin dashboard that gives you important information such as:

• Alerts that point out opportunities to improve security
• The number of users who are assigned to each privileged role
• The number of eligible and permanent admins
• A graph of privileged role activations in your directory

Privileged role management

With Azure AD Privileged Identity Management, you can manage the administrators by adding or removing permanent or eligible administrators to each role.

Configure the role activation settings

Using the role settings you can configure the eligible role activation properties including:

• The duration of the role activation period
• The role activation notification
• The information a user needs to provide during the role activation process
• Service ticket or incident number
• Approval workflow requirements - Preview

Note that in the image, the buttons for Multi-Factor Authentication are disabled. For certain, highly privileged roles, we require MFA for heightened protection.

Role activation

To activate a role, an eligible admin requests a time-bound "activation" for the role. The activation can be requested using the Activate my role option in Azure AD Privileged Identity Management.

An admin who wants to activate a role needs to initialize Azure AD Privileged Identity Management in the Azure portal.

Role activation is customizable. In the PIM settings, you can determine the length of the activation and what information the admin needs to provide to activate the role.

Review role activity

There are two ways to track how your employees and admins are using privileged roles. The first option is using Directory Roles audit history. The audit history logs track changes in privileged role assignments and role activation history.

The second option is to set up regular access reviews. These access reviews can be performed by and assigned reviewer (like a team manager) or the employees can review themselves. This is the best way to monitor who still requires access, and who no longer does.

Azure AD PIM at subscription expiration

Prior to reaching general availability Azure AD PIM was in preview and there were no license checks for a tenant to preview Azure AD PIM. Now that Azure AD PIM has reached general availability, trial or paid licenses must be assigned to the administrators of the tenant to continue using PIM. If your organization does not purchase Azure AD Premium P2 or your trial expires, mostly all of the Azure AD PIM features will no longer be available in your tenant. You can read more in the Azure AD PIM subscription requirements