In this final part of our series on Microsoft Entra ID Privileged Identity Management (PIM), we'll delve into how to set up just-in-time access for the member and owner roles of a Microsoft Entra security group using PIM for Groups. This feature not only offers an alternative method for configuring PIM for Microsoft Entra roles and Azure roles but also extends PIM capabilities to other Microsoft online services like Intune, Azure Key Vaults, and Azure Information Protection.
When a group is configured for app provisioning, activating a group membership triggers the provisioning process. This means that both the group membership and the user account (if it hasn't been provisioned already) are provisioned to the application using the System for Cross-Domain Identity Management (SCIM) protocol.
We've previously discussed PIM Microsoft Entra role-assignable groups in Part 1 of this series,
Assigning Roles to Users and Groups
Groups: Allow all members of a group to obtain just-in-time access to Microsoft Entra roles and Azure roles.
For Azure roles, you can use any Microsoft Entra security group.
Recommendation: It's not advisable to assign or nest a group within a PIM for Groups to avoid complexity and potential security risks.
Configuring PIM for Groups
To prepare Microsoft Entra ID Privileged Identity Management (PIM) to manage Groups effectively, follow these essential steps.Identifying the Groups
Users often have multiple eligible assignments—sometimes five or six—to Microsoft Entra roles through PIM. Activating each role individually can be time-consuming and hamper productivity. The situation becomes even more complex when users have tens or hundreds of Azure resource assignments.To streamline access management, consider utilizing PIM for Groups. By creating a PIM-enabled group and granting it permanent active access to multiple roles, users can activate a single group membership instead of multiple individual roles. This approach simplifies the activation process and enhances efficiency.
To manage a Microsoft Entra role-assignable group as a PIM for Groups, you need to bring the group under PIM management.
- Any Microsoft Entra security group or Microsoft 365 group (excluding dynamic groups and on-premises synced groups) can be enabled for PIM for Groups.
- Groups do not need to be role-assignable for PIM activation, but role-assignable groups provide enhanced security.
Creating a Role-Assignable Group for Testing
In Microsoft Entra ID, you can assign a Microsoft Entra security group or a Microsoft 365 group to a Microsoft Entra role, but this is only possible for groups that were created as role-assignable.- Group Type: Select the appropriate group type.
- Group Name: Enter a name for the group.
- Group Description: Provide a brief description of the group.
- Microsoft Entra roles can be assigned to the group: Choose Yes.
- Roles: For our testing, select the following roles: Helpdesk Administrator, Password Administrator, and User Administrator.
After the group is provisioned, we'll add the owners and members through PIM (Privileged Identity Management).
Note: Role-assignable groups offer additional protections compared to non-role-assignable groups:
- Role-assignable groups: Only Global Administrators, Privileged Role Administrators, or the group Owner can manage these groups. Additionally, no other users can modify the credentials of active members within the group. This ensures that administrators cannot elevate to higher privileged roles without following the proper request and approval process.
- Non-role-assignable groups: These groups can be managed by a wider range of Microsoft Entra roles, including Exchange Administrators, Groups Administrators, User Administrators, and more. Likewise, various roles such as Authentication Administrators, Helpdesk Administrators, and User Administrators can modify the credentials of active members in the group.
Note: When creating a group that can be assigned Microsoft Entra roles, this setting is permanent and cannot be modified later. You will need to acknowledge this warning and proceed during the group creation process.
After the group has been created, navigate to PIM and select Groups. From there, discover and add the newly created group to manage its membership and ownership through Privileged Identity Management (PIM).
Select Discover Groups and choose our recently created Group named Helpdesk Admin-Group and then select Manage Groups. Only supported Group types can be selected for PIM management.Once the selected group is added to PIM, you'll notice that the Members and Owners fields will appear empty, as no members or owners have been added yet.
Configuring Role Settings in PIM for Groups
- Directory Writer
- Groups Administrator
- Identity Governance Administrator
- User Administrator
Role Settings
Per Role Per Group: Role settings are defined individually for each role within each group. This means all assignments for the same role (member or owner) within the same group will follow the same role settings.Independence Between Groups and Roles: Role settings for one group are independent of those for another group. Similarly, role settings for one role (e.g., member) are independent of the settings for another role (e.g., owner) within the same group.
By configuring these role settings thoughtfully, you can ensure that membership and ownership assignments within your organization meet your security and compliance requirements. This includes setting up approval workflows to control who can approve or deny privilege elevation requests, thereby enhancing the overall governance of your Microsoft Entra environment.
After identifying the groups you plan to protect with PIM, the next step is to draft and configure the appropriate settings for each group.
To configure role settings for a group, sign in to the Microsoft Entra Admin Center and navigate to Identity Governance, then Privileged Identity Management, and select Groups.
we will use this below reference as an example for configuring the Owner and Member settings.
Role | Require Justification on Activation | Notification | Require Conditional Access | Require Approval | Approver | Activation Duration | Active Admin | Active Expiration | Eligible Expiration |
---|---|---|---|---|---|---|---|---|---|
Owner | ✔️ | ✔️ | ✔️ | ✔️ | Other owners of the resource | 2 Hour | None | N/A | 6 Months |
Member | ✔️ | ✔️ | ✔️ | ❌ | None | 4 Hours | None | N/A | 3 Months |
- Activation Maximum Duration: Set to 2 hours.
- Conditional Access: During activation, Microsoft Entra Conditional Access authentication context will be triggered, requiring Passwordless MFA and acceptance of the Terms of Use.
- Justification Requirement: Users must provide a business justification when activating their eligible assignment.
- Approval Requirement: Approval is required to activate the eligible Owner assignments.
In the Assignments Settings, we will configure eligible assignments to expire after 6 months. Additionally, we will allow permanent active assignments and require the following:
- Multi-factor authentication (MFA) for active assignments.
- Justification for active assignments, requiring users to provide a reason when activating an assignment.
Assigning an Owner or Member to a Group
To make a user an eligible member or owner of a group, follow these steps. You'll need the appropriate permissions to manage groups:
- For role-assignable groups, you must have at least the Privileged Role Administrator role or be the Owner of the group.
- For non-role-assignable groups, you need to have at least one of the following roles: Directory Writer, Groups Administrator, Identity Governance Administrator, User Administrator, or be the Owner of the group.
Additionally, role assignments for administrators should be scoped at the directory level and not at the administrative unit level.
Note: Other roles with group management permissions, such as Exchange Administrators for non-role-assignable Microsoft 365 groups, and administrators with assignments scoped at the administrative unit level, can manage groups through the Groups API/UX and may override changes made in Microsoft Entra PIM.
To assign an owner or member to a group:
Open the Entra Admin Center. Navigate to Identity Governance > Privileged Identity Management > Groups.
In this section, you can view groups that are already enabled for PIM for Groups Select the group you wish to manage.
Click on Assignments to proceed with assigning an owner or member.
Click on Add Assignments. Start by adding the Owner assignments, followed by adding the Member assignments.
We will add the Owner assignments as demonstrated in the screenshot below.
In the Group Roles tab, you can see the total number of assignments for both the Owner and Member roles.
You can use Privileged Identity Management (PIM) in Microsoft Entra ID to enable just-in-time membership or ownership of a group. When a group membership or ownership is activated, Microsoft Entra PIM temporarily assigns the user as a member or owner, creating an active assignment within seconds. Similarly, when deactivation occurs (either manually or through the expiration of the activation time), Microsoft Entra PIM removes the user's membership or ownership just as quickly.
Some applications provide access based on group membership. In certain cases, the application may not immediately reflect changes in group membership. For example, if the application previously cached that the user was not a member of the group, access might be denied when the user tries to log in again. Conversely, if the application cached that the user was a member of the group, they may still have access after group membership is deactivated. This behavior depends on the specific architecture of the application. In some cases, signing out and signing back in can help update the access changes.
Owner Role Activation
Now we are going to activate the Group Owner Role
Log in as the user who has been assigned as the owner of the group. Open the Azure portal, search for Privileged Identity Management, and then navigate to My roles.
Next, select Groups, where you will find the Group Owner role listed under Eligible Assignments. Choose Activate button near to the Owner Role Action.
The user will need to sign in using the Passwordless option. Since the user has already accepted the Terms of Use during previous Azure role testing, the Terms of Use document will not be displayed again.
After successful authentication, the user will be redirected to the Entra PIM Role Activation page, where they will need to select the activation duration, provide a justification, and click Activate to complete the process.
To approve the request, the approver needs to navigate to the Approve Requests tab in the PIM console.
Click Approve, and in the dialog box that appears, review the request, enter a justification, and then confirm the approval.
Next, select Groups, where you will find the Group Member role listed under Eligible Assignments. Choose Activate button near to the Member Role Action for the Required Group.
After clicking the Activate button, An Additional Verification banner will appear for the Member role activation because we have enabled Microsoft Entra Conditional Access authentication context in Role Settings. Click Continue to proceed.
When reviewing the user's assigned roles, you'll notice that the Entra ID roles assigned to the group have become active for the user as soon as they activated their group membership.
Note: When you activate a role in Privileged Identity Management, the activation may not immediately propagate across all portals that require the privileged role. In some cases, even if the change has been applied, web caching in a portal may cause a delay in the change taking effect.
Extending or Renewing PIM for Groups Assignments
Privileged Identity Management (PIM) in Microsoft Entra ID allows administrators to manage the lifecycle of group memberships and ownerships by setting start and end dates. As assignments near their end, PIM sends email notifications to affected users, groups, and resource administrators. Expired assignments remain visible for 30 days.
Users or groups with permissions can request to extend or renew time-bound assignments. Role-assignable groups are managed by the Privileged Role Administrator or Owner, while non-role-assignable groups can be managed by roles like Directory Writer or Groups Administrator. Role assignments must be scoped at the directory level.
PIM sends notifications:
- 14 days before expiration
- 1 day before expiration
- Upon expiration
The Extend option becomes available within 14 days of the assignment's end. Administrators are notified when extension or renewal requests are made and when decisions are finalized.
In the screenshot below, the Role Extend option is grade out because the assignment has not yet reached the grace period mentioned above.
Access Review for Azure Resources and Microsoft Entra Roles in PIM
- Azure resources: Requires Owner or User Access Administrator role.
- Microsoft Entra roles: Requires at least Privileged Role Administrator role.
- Service Principals: Requires a Microsoft Entra Workload ID Premium plan, along with a Microsoft Entra ID P2, Entra Suite, or Governance license.
Create Access Review
Sign in to the Microsoft Entra admin center as a user assigned to one of the required roles mentioned above.
Navigate to Identity Governance > Privileged Identity Management.
For reviewing Microsoft Entra roles, select Microsoft Entra roles, and for Azure resources, select Azure resources then Select the Azure Subscription
Microsoft Entra Roles & Azure Resource Access Review
We will perform the access review for Microsoft Entra roles, as the steps are the same for configuring an Access Review for Azure Resource. To begin, navigate to Microsoft Entra roles in PIM, then under the Manage section, select Access Reviews.
Click New to create a new access review.
To make the review recurring, change the Frequency setting from One time to options like Weekly, Monthly, Quarterly, Annually, or Semi-annually. Use the Duration slider or text box to set how long each review in the series will remain open for input. For example, a monthly review can have a maximum duration of 27 days to prevent overlaps.
Under the End setting, choose how the recurring series will conclude: it can run indefinitely, end on a specific date, or stop after a set number of occurrences. You or another administrator can stop the series anytime by updating the end date in the Settings.
In the Users Scope section, choose the scope for the review.
- For Microsoft Entra roles, the first option is Users and Groups, which includes directly assigned users and role-assignable groups.
- For Azure resource roles, the first option is Users, where groups assigned to Azure roles will be expanded to show all transitive user assignments in the review.
You can also select Service Principals to include machine accounts that have direct access to either the Azure resource or Microsoft Entra role in the review.
In the Review role membership section, select the privileged Azure resource or Microsoft Entra roles you want to review.
Note: Selecting more than one role will result in the creation of multiple access reviews. For instance, selecting five roles will generate five individual access reviews.
In the Assignment type section, you can scope the review based on how the principal was assigned to the role.
- Select Eligible assignments only to review assignments that are eligible, regardless of activation status at the time of the review.
- Choose Active assignments only to focus on reviewing currently active assignments.
- Select All active and eligible assignments to include both types of assignments in the review.
In the Reviewers section, you can select one or more individuals to review all users or have users review their own access.
- Selected users: Choose specific individuals to complete the review. This option is available regardless of the scope and allows the reviewers to assess users, groups, and service principals.
- Members (self): Select this option for users to review their own role assignments. This is only available when the review is scoped to Users and Groups or Users. For Microsoft Entra roles, role-assignable groups are excluded from the review when this option is selected.
- Manager: Choose this option to have the user’s manager review their role assignment. This is also only available when the review is scoped to Users and Groups or Users. You can also specify a fallback reviewer, who will step in when a user has no manager listed in the directory. For Microsoft Entra roles, role-assignable groups will be reviewed by the fallback reviewer if one is chosen.
- If you want to automatically remove access for users who were denied, set Auto apply results to resource to Enable. If you prefer to manually apply the results after the review, set this option to Disable.
- Use the If reviewers don’t respond option to decide what happens to users who were not reviewed by the end of the review period. This will not affect users who were reviewed.
Options include:
- No change: Leave the user's access as is.
- Remove access: Revoke the user's access.
- Approve access: Grant the user's access.
- Take recommendations: Follow the system's recommendation on whether to approve or deny the user's continued access.
- Set Show recommendations to Enable to display system recommendations to reviewers, based on the user’s access activity over the past 30 days. Users who have signed in within the last 30 days will have a recommendation to approve access, while users who haven’t will have a denial recommendation. This is based on both interactive and non-interactive sign-ins, with the last sign-in date also shown.
- Enable Require reason on approval to prompt reviewers to provide a justification when approving access.
- Turn on Mail notifications to have Microsoft Entra ID send emails to reviewers when the access review starts and to administrators when the review is completed.
- Enable Reminders to send reminders to reviewers who have not yet completed their review.
The content of emails sent to reviewers is automatically generated, including details like the review name, resource name, and due date. If you need to provide additional instructions or contact information, use the Additional content for reviewer email field to include this information in both invitation and reminder emails.
Since we selected 4 Entra roles, 4 separate access reviews have been created and are now displayed in the Access Reviews section.
You can monitor the progress of the review on the Overview page as reviewers complete their tasks. No access rights will be altered in the directory until the review is fully completed. Below is an example screenshot of the overview page for Microsoft Entra roles access reviews.
To manage a series of access reviews, navigate to the specific review where you'll find upcoming occurrences under Scheduled Reviews. Currently no Schedules available as per below screenshot You can adjust the end date or add/remove reviewers as needed.Based on your selections in the Upon completion settings, auto-apply will either execute after the review's end date or when you manually stop the review. The status will update from Completed through stages like Applying, and finally to Applied. Denied users, if any, will be removed from their roles within a few minutes.
Updating the Access Review
Once one or more access reviews have been started, you may need to modify or update their settings. Here are some common scenarios to consider:
- Adding or removing reviewers: You can add a fallback reviewer in addition to the primary reviewer when updating access reviews. Primary reviewers can be removed, but fallback reviewers cannot be removed by design.
- Note: Fallback reviewers can only be added when the reviewer type is set to Manager, while primary reviewers can be added when the reviewer type is Selected User.
- Reminding reviewers: You can enable the reminder option in Advanced Settings. When this is activated, reviewers will receive an email notification at the midpoint of the review period, regardless of whether they have completed their review.
- Updating settings: For recurring access reviews, settings are split between Current and Series. Changes made under Current will only apply to the current review, while changes under Series will apply to all future occurrences of the review.
Access Review of Azure Resource and Microsoft Entra Roles in PIM
If you're assigned an administrative role, your organization's Privileged Role Administrator may request you to periodically confirm that you still require that role for your job. You may receive an email with a link to the review, or you can start directly by visiting the Microsoft Entra admin center.
If you're at least a Privileged Role Administrator and want to perform access reviews, follow these steps to get started:
Navigate to Identity Governance > Privileged Identity Management (PIM).
Select Review Access
You can also view the outcome of the access review, whether it was Approved or Denied, as well as details on who reviewed the access. Additionally, you can download a summary of the completed review, including the review results.
On the Details page, the following options are available for managing access reviews of Azure resources and Microsoft Entra roles:
Here is an example of a One-time access review that we recently completed
- Stop an access review: While all access reviews have an end date, you can end a review early by selecting the Stop button. This option is only available when the review is active. Once stopped, a review cannot be restarted.
- Reset an access review: If the review is active and at least one decision has been made, you can reset the review by selecting the Reset button. This clears all decisions, marking all users as "not reviewed" again.
- Apply an access review: After the review is completed (either by reaching the end date or stopping it manually), the Apply button removes denied users' access to the role. If the Auto apply setting was enabled during review creation, this button will be disabled since the review will be applied automatically.
- Delete an access review: If you no longer need the review, you can remove it by selecting the Delete button. Be cautious, as this action is irreversible, and no confirmation will be required before deletion.
Conclusion
In this final part of our Exploring Microsoft Entra ID Privileged Identity Management (PIM) series, we’ve discussed how to manage Groups and conduct Access Reviews. By enabling just-in-time access and regularly reviewing role assignments, PIM helps reduce the risk of over-privileged users and strengthens your organization’s security. Leveraging PIM’s features like role-assignable groups and automated reviews ensures better control over access to critical resources.
This concludes our series on Microsoft Entra ID PIM, providing essential tools for enhancing security and compliance.
0 Comments