Azure Active Directory (Azure AD) is essentially an Identity Assessment Management (IAM) service that is based in the Cloud.  Through this mechanism, you can create specific user group roles for each department in your company.

From there, you can then assign the appropriate levels of rights and permissions for all of the employees, so that they can securely gain access to the shared resources that they need in order to conduct their daily job tasks.

But there will be of course more critical resources from within your organization that need will need more protection, and this is where the role of the Privileged Identity Management (PIM) comes into play.  It has been designed so that you can quickly and easily implement more granular levels of control.  Apart from this, it also allows for your IT Security team to manage and monitor these mission critical resources on a real time basis.

We advise that you do not give untethered global admin rights to any staff member except the CISO (or similar role) for security purposes. Instead, use the PIM to grant temporary access only when needed. In this way you can better protect access to your tenant and monitor the more limited access available through PIM.

A common occurrence we see is when someone with untethered global admin rights is phished, and the hacker now has access to the entire tenant. With PIM, a user has a very limited period of time to perform a task and this reduces the risk.

The Roles Of The PIM

The security functionalities of the PIM include the following features:

  • It can provide one off access:
    This can also be referred to as “Just In Time” access.  For example, if you have have an employee who does not ordinarily need access to the admin features, you can provide temporary access only for that instance that he or she is working.
  • It can grant access for longer periods of time:
    If you hire a longer term contracted employee then you will need to assign rights and permissions to that particular individual for a certain time period, say a couple of months or so.  By making use of PIM, you create them and assign a specific time of activation and deactivation for these privileges.  This is also known as “Time Bound” access, and the primary advantage of this is that nobody will forget to deactivate the credentials that have been assigned – it is all done automatically.
  • You can deploy Multifactor Authentication (MFA):
    This is where at least three layers or even more are used in order to authenticate all of your employees.  Microsoft Azure has an entire suite of security tools that you can use in this regard, and they all are deployable through the PIM service.
  • Reasons have to be provided:
    A unique security feature of the PIM is that as you assign rights and privileges, you also have to provide the justification for it before the relevant permissions can be activated.  For example, if a Project Manager needs to gain access to a server that contains Personal Identifiable Information (PII) datasets, a full reason as to why he or she needs it must be provided first.
  • You can view access privilege histories:
    With the PIM, you can also get a centralized view into the permissions that have been assigned to your employees and make modifications to them in real time as the job titles and/or roles change.
  • Reports can be created easily:
    If needed, you can also create reports for audit purposes, especially if you are bound to the provisions of either the GDPR or the CCPA.

The Licensing Requirements

In order to use the PIM service, you need to have one of the following types of licenses:

  • The Azure Directory (AD) Premium P2;
  • The Microsoft 365 Enterprise E5;
  • The Microsoft 365 Education A5;
  • The Enterprise Mobility + Security (EMS) E5.

Additional information about licensing can be seen here.

Who The PIM Is Meant For

It is important to note that the PIM service is not designed to be used in every department in your business.  Rather, it has been created specifically for the IT Security team and/or the IT Department.  Thus, in this regard, there are only two roles that can be assigned through the PIM, which are:

  • The Privileged Role Administrator;
  • The Global Administrator.

The following are typical examples of when the PIM can be used:

  • Assigning Privileged Role Admin permissions;
  • Assigning Approver permissions;
  • Assigning Eligible Role User permissions.

Conclusions

If you are considering  deploying the PIM for your AD services, contact us today.  We can offer timely tips and advice in order to maximize your use of it, and help you further beef up your lines of defense.

Sources