Azure AD Privileged Identity Management - PIM


PIM, short for Privileged Identity Management, serves as a crucial service within Azure Active Directory (Azure AD), empowering you to effectively oversee, govern, and track access to vital resources within your organization. These resources encompass various components like Azure AD, Azure itself, and other Microsoft Online Services, including Microsoft 365 and Microsoft Intune. To gain a comprehensive understanding of key PIM concepts and features, the following video delves into the subject matter, shedding light on its significance.

Why To Use PIM?

In order to mitigate the risks associated with secure information and resources, organizations strive to limit the number of individuals with access. By doing so, they can effectively reduce the likelihood of both malicious actors gaining unauthorized entry and authorized users unintentionally causing harm to sensitive assets. Nonetheless, users still require the ability to perform privileged operations within Azure AD, Azure, Microsoft 365, or SaaS apps. To address this, organizations can adopt a just-in-time approach to grant users temporary privileged access to Azure and Azure AD resources. Moreover, they can maintain oversight over the activities performed by these users during their privileged access sessions.

License Prerequisites

Azure AD Premium P2 licenses.

Assignment Process

The process of assigning roles to members marks the beginning of the assignment procedure. To grant access to a resource, the administrator assigns roles to users, groups, service principals, or managed identities. The assignment encompasses the following information:

  1. The individuals or owners to whom the role is assigned.
  2. The scope of the assignment, which limits the assigned role to a specific set of resources.
  3. The type of assignment being made.
  4. Eligible assignments necessitate the role member to undertake an action, such as activation or seeking approval from designated approvers, in order to utilize the role.
  5. Active assignments do not require any action from the role member to utilize the role. Members assigned as active possess the privileges associated with the role.
  6. The duration of the assignment, either defined by start and end dates or marked as permanent. For eligible assignments, members can activate or request approval during the designated start and end dates. During the assigned period, members of active assignments can freely utilize the assigned role.
The following screenshot shows how administrator assigns a role to a member

Activation Process

Once users have been deemed eligible for a role, they are required to activate the role assignment before utilizing the role. To activate the role, users need to choose a specific duration for the activation within the maximum limit set by administrators. Additionally, users must provide a reason for their activation request.

Renewing Assignments

To ensure continued access and privileges, a user can either renew or extend the same privilege.

Extend - As a role assignment approaches its expiration, users can utilize Privileged Identity Management to request an extension for the role assignment, allowing them to continue their authorized access to resources.

Renew - In cases where a role assignment has already expired, users can leverage Privileged Identity Management to request a renewal for the role assignment. This enables them to regain their authorized access to resources and resume their privileged activities.

Can you remove PIM assignment immediately?

If you'd like to remove the assigned role for the user, you can do it but there's a catch. You will need to wait at least 5 minutes after you assigned the role to that user. Minimum time duration required is 5 minutes or it will throw this error.

Post a Comment