AAD Privileged Identity Management

Overview

A common problem in any company is having users with higher level of privileges than actually needed and/or who no longer need them.

It is a common situation where “privileged” rights are assigned to an external consultant and then not removed.

This situation represents a very high security risk.

The goal is to correctly manage this area by applying the Principle of Access with Minimum Privileges and Just-In-Time.

Solution

Azure Active Directory Privileged Identity Management (Azure AD PIM) is a service that allows you to simplify the Management (“who”, “what”, “when”, “where” and “why”) and the Access control with “privileges” to Microsoft Azure Active Directory, Microsoft Azure, and other Microsoft online services (such as Microsoft 365 or Microsoft Intune) resources.

This means that if an administrative role has been set as suitable, it is possible to activate this role only when deemed necessary: ​​for example, if a user occasionally manages Microsoft 365, it is possible to assign the role only when deemed appropriate and for a predetermined period of time.

Here are some features included in Azure AD PIM:

  • Grant Just-In-Time access rights to Azure Active Directory and Azure resources;
  • Assign time-constrained access to resources;
  • Request approval for the activation of “privileged roles”;
  • Apply Multifactor authentication to activate any role;
  • Define the justification for understanding why a particular role should be activated for a user;
  • Receive email notifications when a role is assigned or activated.

Requirements

You must have one of the following licenses:

  • Azure AD P2 Premium
  • Enterprise Mobility + Security (EMS) E5
  • Microsoft 365 E5

Benefits

  • The Least Privilege and Just-In-Time application allows you to view the history of access to privileged roles and identify any security issues in real time.
  • Optimization of security and regulatory compliance, by means of a careful administration of user assignments to privileged roles, including through the request for appropriate approval and “multi-factor authentication”. Furthermore, “privileged” access activities can also be tracked thanks to the possibility of defining appropriate notifications via e-mail.
  • Cost reduction: Assigning certain rights to users for a specified time guarantees accurate management that not only minimizes risk but also, above all, reduces the costs associated with restoring functionality.