-->

10/02/2022

Azure PIM Provisioning and Configuration

Setting up PIM Administrator

Global Admins enable PIM provisioning and create PIM Admin role assignment.

PIM Admin Account Pre-requisites:

PIM admin account need to have below 2 licenses assigned.

  1.  Azure AD Premium P2
  2.  Enterprise Mobility + Security (EMS) E5

PIM Admin Setup:

1. Login to Azure portal as Global admin, navigate to Azure Active Directory.

2. In Featured highlights, click on
3. Click on “Azure AD roles” in left pane=> Navigate to “Roles” by clicking on
4. Search for “privileged role administrator”.



5. Click on “Privileged Role Administrator” role. Click on
6. Follow below configuration

Field

Value

Reason

Selected Member(s)*

PIM Admin Account

This should be an account which will be permanently treated as PIM admin

Assignment type

Eligible

This means PIM admin account is always eligible, but not active. PIM admin need to activate this role every time the changes need to be made to PIM configuration

Permanently eligible

YES

Always eligible, but not active.

 7. PIM Admin setup is finished.


PIM Provisioning

PIM Admin will be enabling which roles need to be enabled for PIM Access requests and which users are eligible for PIM requests.

Enabling PIM Admin Role

Setup:

1. Login to Azure portal as PIM Adin account. Navigate to Azure Active Directory.
2. In Featured highlights, click on
3. Click on “My Roles” in left pane.
Here you will see all the roles for which current user is eligible for. As per above configuration “Privileged Role Administrator” role should be available permanently.

4. Click “Activate” button. User need to validate his credentials via Authenticator app by clicking on

5. Now the Duration slider will be enabled, and user can select how many hours the PIM admin role need to be activated.


6. PIM Admin role is active now. 


Configuring PIM constraints for AD Roles

In this document we intend to enable below mentioned AD Roles for PIM requests.

1. SharePoint Administrator
2. Teams Administrator
3. Exchange Administrator

Setup:

1.As PIM admin user log into Azure Portal, go to Azure Active Directory, navigate to “Privileged Identity Management”.
2. Click on “AD Roles” => Navigate to “Settings” in left pane.
3. Search for SharePoint Administrator role. Click on it. Now Click “Edit” Button to set the configuration.
4. Follow below configuration

Field

Value

Reason

Activation Maximum Duration (Hours)

4

PIM Role Activation will automatically be disabled after 4 hours

On Activation , require

Azure MFA

PIM role will not be activated without Authenticator MFA approval.

Require Justification on Activation

True / Yes

Will make Justification txt field mandatory

Require ticket information on activation

Ture/ Yes

Will make ticket / SR field mandatory

Require Approval to activate

False / No

No approvals necessary as of now

Allow Permanent eligibility assignment

False / No

We want eligibility assignment only for a year.

Expire Eligibility assignments after

1 Year

Eligibility assignment for this role will be valid for an year.

Allow Permanent active assignment

False / No

 

Expire active assignments after

15 Days

We need to limit direct active assignments to minimum value so that they don’t overstay its welcome.

Require Azure Multi-Factor Authentication on active assignment

True / Yes

 

Require Justification on active assignment

True / Yes

 

Notification

Enable all emails and add any additional email IDs if required.

 
5. Now repeat steps 3 and 4 for remaining roles “Teams Administrator” and “Exchange Administrator”.

6.PIM Parameters for Ad role configuration is completed.


Enabling PIM Access for Users / Groups

This step is performed by PIM Admin by adding AD Users / AD Groups for each individual AD Role.

Setup:

1.As PIM admin user log into Azure Portal, go to Azure Active Directory, navigate to “Privileged Identity Management”.
2. Click on “AD Roles” => Navigate to “Roles” => Search for “SharePoint Administrator”
3. Click on “Add Assignment”, follow below configuration

Field

Value

Reason

Scope type

Directory

 

Selected member(s)*

AzureSecurityGroupForPIMAccess

This AD security group contains all the _admin accounts which requires elevated privileges from time to time.

Assignment type

Eligible

The users in security group will be eligible for this role up on PIM access request. This doesn’t mean it is activated.

Assignment Starts

Current date and time / Start date and time

 

Assignment ends

1 year from now

1 year is maximum eligibility as per above configuration.

4.Now repeat steps 2 and 3 for remaining roles “Teams Administrator” and “Exchange Administrator”.

5. Adding eligible user for each AD role PIM access is completed.


PIM Usage

PIM User Request

This is the process followed by Users to raise Just-in-time privileged access for various AD roles.

Pre-requisite:

User should be part of the “AzureSecurityGroupForPIMAccess” AD security group.

Setup:

1.User log on to azure portal. Navigate to Azure Active Directory
2. In Featured highlights, click on
3. Click on “My Roles” in left pane. User will see all the roles for whom user is eligible for just-in-time elevated privileges.
4. Click “Activate” Button, User need to MFA authenticated to enable the activate pane. Below information should be provided to activate PIM access.


5. Just-in-time elevated privilege was activated successfully. This will be active for next 4 hours. 

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)