Why Privileged Access Needs Management
- Malicious actors gaining unauthorized access to critical resources.
- Users inadvertently impacting sensitive resources, either through accidental misconfiguration or other unforeseen issues.
Licensing Requirements for PIM
- Microsoft Entra ID P2
- Microsoft Entra ID Governance
- Microsoft Entra Suite
- Users with eligible and/or time-bound assignments to Microsoft Entra ID or Azure roles managed via PIM.
- Users with eligible/time-bound assignments as members or owners of PIM for Groups.
- Users who are approvers for activation requests in PIM.
- Users assigned to or who perform access reviews.
These licenses enable organizations to leverage the full suite of capabilities that PIM offers to control access to sensitive resources.
Impact When a License Expires
- Permanent role assignments remain unaffected.
- The PIM service in the Microsoft Entra admin center, including Graph API cmdlets and PowerShell interfaces, will be unavailable for activating privileged roles or managing access.
- Eligible role assignments for Microsoft Entra roles will be removed, and users will no longer be able to activate privileged roles.
- Ongoing access reviews of Microsoft Entra roles will end, and the configuration settings for PIM will be cleared.
- Email notifications on role assignment changes will stop.
Key Features of Microsoft Entra PIM
Managing PIM in Microsoft Entra ID
Microsoft Entra ID allows you to grant users just-in-time membership and ownership of groups through Privileged Identity Management (PIM) for Groups. These groups can control access to various scenarios, such as:
- Microsoft Entra roles
- Azure roles
- Azure SQL
- Azure Key Vault
- Intune
- Other application roles
- Third-party applications
PIM for Groups is part of Microsoft Entra PIM, alongside PIM for Microsoft Entra roles and PIM for Azure resources.
Key Features of PIM for Groups
With PIM for Groups, you can apply policies similar to those used for Entra roles and Azure resources. Some key policies include:
- Approval requirement for membership or ownership activation
- Multifactor authentication (MFA) enforcement
- Justification requirement for activation
- Maximum activation time limit
Each group has two policies: one for membership activation and another for ownership activation.
Role-Assignable vs. Non-Role-Assignable Groups
- Role-Assignable Groups: Only Global Administrators, Privileged Role Administrators, or group Owners can manage the group. Users in these groups have extra protection, such as preventing unauthorized privilege elevation.
- Non-Role-Assignable Groups: Various administrators, including Exchange Administrators, Groups Administrators, and User Administrators, can manage the group. These groups have fewer protections compared to role-assignable groups.
Important Considerations
- Any Microsoft Entra security group or Microsoft 365 group (excluding dynamic groups and on-premises synced groups) can be enabled for PIM for Groups.
- Groups do not need to be role-assignable for PIM activation, but role-assignable groups provide enhanced security.
Group Assignments and Role Activation
To make a group of users eligible for a Microsoft Entra role, you can:
- Assign users to the group as active members, then assign the group as eligible for role activation.
- Assign the role to a group and make users eligible for group membership.
For critical roles like Exchange Administrator, ensure active assignments of users to the group and assign the group as eligible for activation. This ensures timely access to role privileges.
Best Practices for PIM for Groups
- Use an approval process for eligible member assignments, especially for groups used for elevating into Microsoft Entra roles.(For instance, a Helpdesk Administrator has the ability to reset the passwords of eligible users.)
- Ensure that non-role-assignable groups have limited privileged access to avoid potential security risks.
Group Provisioning Timelines
- Without PIM Activation: Group membership is synced to the application during the next cycle (every 40 minutes, using SCIM).
- With PIM Activation: Group membership is provisioned in 2-10 minutes. For high-traffic scenarios, only five requests can be processed every 10 seconds; additional requests will follow the standard 40-minute sync cycle.
If users face issues accessing the necessary group in the target application, review the PIM logs and provisioning logs to verify group membership updates.
Setting Up PIM for Microsoft Entra ID Role
After selecting Microsoft Entra Roles, the Privileged Identity Management page for Microsoft Entra Roles will open for the respective tenant. You will then see the Quick Start menu, as shown in the screenshot below.
In the Overview tab, you can view details such as role activations in the past 7 days, role assignment distribution, PIM activities from the last 30 days, roles by assignment, alerts, and more, as shown in the screenshot below.
In the My Roles section under Tasks, you can view the eligible, active, and expired assignments for any roles available to your account.
Approve Requests is where you'll find any requests awaiting your approval(Including Requests to renew or extend role assignments). If approval options are enabled for role activation and no specific approvers are designated, Privileged Role Administrators or Global Administrators will automatically be assigned as the default approvers.
This refers to a role assignment that requires the user to perform certain actions before they can use the role. While an eligible user doesn't have continuous access, they can activate the role whenever they need it for privileged tasks. The level of access is the same as someone with a permanent role, but they only get it when necessary.
An active role assignment doesn’t require any action from the user to access the role. Once assigned, they have the privileges continuously and can use the role without needing to activate it.
- Permanent Eligible: A user is always eligible to activate the role when needed.
- Permanent Active: A user has ongoing access to the role without needing to activate it.
- Time-Bound Eligible: A user is only eligible to activate the role during specified start and end dates.
To configure the role settings, navigate to the Role Settings tab. From there, you can edit various options such as Role Activation Settings, Assignment Settings, and Notification Settings.
Use the Activation Maximum Duration slider to define how long, in hours, a role assignment activation request remains valid before expiring. The duration can range from 30 minutes to 24 hours.
You can mandate that users eligible for a role verify their identity using multifactor authentication (MFA) in Microsoft Entra ID before activating their role. MFA provides an added security layer by requiring a second form of verification, enhancing protection for data and applications.
For instance, if a user logs in using Windows Hello for Business, you can configure this setting to require passwordless sign-in via Microsoft Authenticator for role activation. After completing this passwordless sign-in once, the user won't need to authenticate again for subsequent activations within the same session, as the sign-in is already part of their authentication token.
You can configure the system to ask users for a business justification when activating an eligible assignment.
Require Ticket Information Upon Activation
You can ask users to provide a support ticket number when they activate an eligible assignment. This field is informational, and there is no enforced integration with any ticketing systems.
Require Approval to Activate
You can require approval for activating an eligible assignment. Approvers do not need to hold specific roles. However, you must select at least one approver, and it's recommended to select at least two. If no approvers are specified, the Privileged Role Administrator or Global Administrators will act as the default approvers.
Below image shows the config: You can customize these settings based on your need.
When configuring role settings, you can select two assignment duration options for each assignment type: eligible and active. These options set the default maximum duration when a user is assigned a role in Privileged Identity Management.
Allow Permanent Eligible Assignment:
Resource administrators can assign eligible roles permanently, without an expiration.
Expire Eligible Assignment After:
Resource administrators can require eligible assignments to have specific start and end dates.
Allow Permanent Active Assignment:
Resource administrators can assign active roles permanently, without an expiration.
Expire Active Assignment After:
Resource administrators can require active assignments to have a defined start and end date.
All assignments with a specified end date can be renewed by Global Administrators and Privileged Role Administrators. Additionally, users can submit self-service requests to extend or renew their role assignments.
Require Multifactor Authentication on Active Assignment:
You can enforce that administrators use multifactor authentication (MFA) when creating an active assignment (as opposed to an eligible assignment). However, Privileged Identity Management cannot enforce MFA when the user operates within their active role since the role is already assigned.
Administrators may not be prompted for MFA if they have already authenticated using strong credentials or completed MFA earlier in the session.
Require Justification on Active Assignment:
You can require users to provide a business justification when creating an active assignment.(Same we saw earlier when we tried to add user to Active assignment)
Below image shows the config: You can customize these settings based on your need.
Turning Off an Email: You can disable specific emails by unchecking the default recipient box and removing any other listed recipients.
Limit Emails to Specified Addresses: If you prefer not to send emails to default recipients, you can clear the checkbox and add your own recipients. To include multiple email addresses, separate them with a semicolon (;).
Send Emails to Both Default and Additional Recipients: You can send notifications to both default recipients and additional ones. To do this, select the default recipient checkbox and enter any extra email addresses.
Critical Emails Only: For each type of email, you can choose to receive only critical notifications by selecting the appropriate checkbox. With this setting, PIM sends emails only when immediate action is required. For instance, emails about extending role assignments are skipped, but emails requiring an administrator to approve an extension request are still sent.
Note:
Each event in Privileged Identity Management can trigger email notifications for multiple recipients, including assignees, approvers, and administrators. However, a maximum of 1,000 notifications can be sent per event. If the recipient list exceeds 1,000, only the first 1,000 recipients will receive an email, but this won't affect other assignees, administrators, or approvers from utilizing their permissions in Microsoft Entra ID and PIM.
Below image shows the default config: You can customize these settings based on your need.
Security Alerts
This section lists all security alerts for Microsoft Entra roles, along with steps to resolve and prevent them. The severity of alerts is categorized as follows:
- High: Indicates a critical policy violation that requires immediate attention.
- Medium: Signals a potential policy violation but does not require immediate action.
- Low: Suggests a preferable policy change but does not require urgent action.
Only users with the following roles can view PIM security alerts for Microsoft Entra roles:
- Global Administrator
- Privileged Role Administrator
- Global Reader
- Security Administrator
- Security Reader
Available Alerts:
- Roles don't require multi-factor authentication for activation: Some roles are not enforcing multi-factor authentication (MFA) when activated.
- Eligible administrators aren't activating their privileged role: Administrators eligible for roles are not activating them when required.
- Roles are being assigned outside of Privileged Identity Management: Roles are being assigned through means other than PIM.
- Potential stale accounts in a privileged role: There may be inactive or unnecessary accounts holding privileged roles.
- The organization doesn't have Azure AD Premium P2: Your organization is missing the Azure AD Premium P2 license, which offers enhanced security features.
- Roles are being activated too frequently: Some roles are being activated more often than expected, which may indicate misuse.
- There are too many global administrators: The organization has an excessive number of global administrators, which can increase security risks.
Potential stale accounts in a privileged role |
Roles are being activated too frequently |
To create access reviews for Azure resources, you must have the Owner or User Access Administrator role for those resources. For Microsoft Entra roles, you need at least the Privileged Role Administrator role.
If you're using access reviews for service principals, it requires a Microsoft Entra Workload ID Premium plan in addition to a Microsoft Entra ID P2 or Microsoft Entra ID Governance license.
Note:
Access reviews capture a snapshot of access at the start of each review cycle. Any changes made during the review process will be reflected in the next review cycle. With each recurrence, Microsoft Entra PIM retrieves updated data on the users, resources, and reviewers involved in the review.
If you're just beginning to use Privileged Identity Management (PIM) in Microsoft Entra ID to manage role assignments, the Discovery and Insights (preview) page is a great starting point. This feature provides an overview of who holds privileged roles in your organization and offers guidance on converting permanent role assignments into just-in-time assignments using PIM. You can also view and adjust permanent privileged role assignments directly from the Discovery and Insights (preview) page, which functions as both an analysis and action tool.
Microsoft recommends that organizations maintain two cloud-only emergency access accounts with permanent Global Administrator roles. These highly privileged accounts are not assigned to individuals but are reserved for emergency or "break glass" situations, such as when all other administrators are locked out. These accounts should be set up with Microsoft's emergency access account best practices.
Additionally, keep role assignments permanent if the user has a Microsoft account (e.g., an account used to sign in to services like Skype or Outlook.com). If multi-factor authentication is required for a user with a Microsoft account to activate a role, they may be locked out.
Validating Entra ID PIM Activation
If you are designated as eligible for an administrative role, you must activate the role assignment when you need to perform privileged actions. When a role is activated, Microsoft Entra PIM temporarily assigns you the active role within seconds. Upon deactivation, either manually or when the activation period expires, Microsoft Entra PIM removes the active assignment just as quickly.
To activate a Microsoft Entra role, you can request activation by navigating to My roles in Privileged Identity Management. PIM is also accessible via the Azure mobile app (iOS | Android) for Microsoft Entra ID and Azure resource roles. Through the app, you can easily activate eligible assignments, request renewals for expiring roles, or track the status of pending requests.
To view and manage your roles, sign in to the Microsoft Entra admin center ,Search for Privileged Identity management
- Cannot be set for a duration of less than five minutes.
- Cannot be removed within five minutes of being assigned.
The following email notification will be sent to the Admin user when users are added to Entra Roles using PIM.
Extend or Renew Microsoft Entra Role Assignments in PIM
When a user or group requests an extension or renewal for an expiring or expired role, administrators are notified. Once an administrator approves or denies the request, all other administrators are informed of the decision, and the requesting user or group is notified of the outcome.
Conclusion
Managing privileged access effectively is essential for securing critical resources in any organization, and Microsoft Entra ID PIM offers a comprehensive solution to achieve this. In this first part, we explored the Entra role-based features of PIM, emphasizing how just-in-time access, approval workflows, and auditing can enhance security while maintaining flexibility.
As we continue this series, Part 2 will delve into how PIM can be used to manage Azure resources, extending privileged access management beyond identities. Part 3 will focus on PIM for Groups and Access Reviews, demonstrating how these features help streamline governance and ensure that access rights remain appropriate over time.
Stay tuned as we explore these additional capabilities and how they further strengthen your organization’s security posture.
0 Comments