Azure Privileged Identity Management deals in managing access governance framework around highly privileged office365 and Azure account. Azure PIM is based on a Just In Time access framework where highly privileged accounts like Global Admins, other admins, and Azure Admin are eligible to elevate their access based on eligibility criteria set by PIM administrator for a specific timeframe. It also provides the ability to audit the actions of administrators, be it an internal or external account.
Key Features of PIM are:-
It provides an ability to grant just-in-time access to Azure AD or Azure ARM-based roles.
It assigns time-bound access with start and end date
It can force an approval workflow if configured
It forces MFA for all privileged user accounts
It forces users to provide justification while activating a role
It will notify other Global Administrators when escalation in privileges activated
It can conduct access review to ensure users that still need roles should have eligibility
It allows downloading history for an internal and external audit
Licenses Requirement –
It requires Azure AD P2 license to activate Azure AD Privileged Identity Management.
Considerations –
Microsoft also recommends having at least 2 x Global Admin cloud-only accounts that should keep out of the PIM umbrella to ensure that there will be a jailbreak option if any issue with PIM can lock everybody out.
Roll-out plan –
Microsoft has highlighted a detailed plan to roll out PIM for Azure AD and ARM administrator roles that will start with auditing and then roll it out with very sensitive accounts like Global Administrators. After that, the same process can be followed for the rest of the privileged accounts.
Exceptions to PIM –
There can be exceptions where you might end up leaving permanent assignments for accounts used by applications where you have no control to request elevated access from time to time.
No comments:
Post a Comment