Privileged Identity Management

March 11, 2020
No Comments

Here we will try to describe how to enable Privileged Identity Management in Azure. In this way all your users can have the bear minimum of roles to do their job. And in the same time temporary extend them if needed.

For this blog we are going to use the Intune Service Administrator role.

When logging on to the Azure portal with my test user and going to the intune services I will see the following:

Because I don’t want my user to have this rights continuously I’m going to give him access using PIM. For this we go to Privileged Identity Management blade: https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart

From here we are going to manage the access for our testuser so that it can grant itself Intune Service Administrator rights for a fixed amount of time.

Click on Manage under Manage Access

We have to the options to Assign, Activate, Approve and Audit PIM requests. We are going to start by Assigning eligibility.

In the middle blade we look up the Intune Service Administrator Role and click on it. We can now see the already existing members and add the members we want to be eligible for the role

So now we click Add Member and add user new user

After the user is added, you can see that it is added as an Eligible user instead of a Permanent user which will be the state if you add it ‘normally’ through the Azure Active Directory Roles.

So now when logged in as my test user in the Portal I still am the same user with the same rights as before. I still do not have access to Intune.

But now if I go to the PIM blade https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade/quickStart

I will see the following:

This is basically the same screen we’ve seen when being logged in as an Administrator. But now when we click on Roles, we’ll see:

As you can see, the user now sees it’s eligible for the Intune Service Administrator role, it’s not activated at the moment and has no pending requests. But we can activate it. So let’s click on that link

We now see the following:

From here we can Activate ( or Deactivate if already activated ) the Intune Service Administrator role. So lets Activate it.

We have a couple of things we need to supply ( also for the sake of auditting)

By default you will get the Role for a duration of 1 hour ( which is the maximum time ) this can be shorted to 30 minutes.

You have to give a reason for the activation. This can be any text of course but since it is for auditing be a bit specific.

If we set those values we can click on Activate and continue. But we also have an option Custom activation start time.

When we select thism we see the following

By default this is set to the current time. But we can also set this to a specific date/time so that an user would access to the specified role for that specific window.

For now we just activiate it directly

Now click on Activate

Now the process goes through several steps

If all ticks are green you need to sign out first

This is an extra security measure so that if someone has access to your computer for some reason and your eligible for extra rights they cannot just add them and start working with them.

After logging out and in again and going to Intune I now see the following

So now we have full access to Intune. And when I go to the AAD services I see the following:

And when I go to the My Roles part of PIM blades I see

From there we can add an extra activation, for example using the Custom start time, but if we click on Active Roles we basically see the same, except with an Deactivate link

Now we can wait till the activation ends by itself or if we are done already select Deactivate. We than get the same screen as Activiation but only with Deactive enabled

If you click this you will first get the question if you are sure

The role is than directly removed

So now ( without reconnection ) I go to the AAD services I see

Although unfortunatly some things are still cached. So I would recommend to after deactivating the rights to always reconnect.

As mentioned before there is also some auditing in place.

When as my testuser I go to the PIM blades

https://portal.azure.com/#blade/Microsoft_Azure_PIM/DirectoryRoleManagementMenuBlade/ADPimQuickStart

And choose My audit history

I get an overview on my activations and reasoning

Rex de Koning

Your Turn To Talk

Leave a reply:

Your email address will not be published.