introduction
any Organization want to minimize the number of people who have access to secure information or resources,
which will reduces the chance of a malicious actor getting that access, or even an authorized user impacting a sensitive resource
this will lead us to the concept of Privileged Identity Management (PIM)
what is Privileged Identity Management (PIM)
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to :
- manage
- control
- and monitor access to important resources in your organization.
These resources include resources in:
- Azure AD, Azure
- Microsoft 365
- Microsoft Intune
what does PIM do ?
PIM is able to do the following :
- provides time-based and approval-based role activation to mitigate the risks of misused access permissions on resources
- Provide just-in-time privileged access to Azure AD and Azure resources
- Assign access to resources for limited time
- Require approval to activate privileged roles
- Enforce multi-factor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles ( access review will be fully discussed in separate article )
- Download audit history for internal or external audit
License requirements for PIM
PIM require the following license
- Azure AD Premium Premium 2
- Enterprise Mobility + Security (EMS) E
PIM Aspects
next coming articles we will discuss PIM aspects in fully details like :
permanents assignment
- which is privileged assignment for Unlimited time
- simply like NO PIM configured
time boundary assignment
- Role privileged assigned and active for specific mount of time for example 2 week
- user can use his Role any time
eligible access for permanently
- this means that user user is eligible to use administrative Role
- The user will activate Role when required for small mount of time (for example 1 hour )
- after that role will be expired
- this will help that if user account has been compromised –> so NO risk that will could be used to harm your organization
eligible access for specific time (for example 3 weeks )
- this means that user user is eligible to use administrative Role for 3 weeks
- The user can activate Role (within 3 weeks ) when required for small mount of time (for example 1 hour )
- after that role will be expired
- this will help that if user account has been compromised –> so NO risk that will could be used to harm your organization
eligible access for specific time (for example 3 weeks ) but with approval workflow
- this means that user user is eligible to use administrative Role for 3 weeks
- The user can send activation Role request to PIM approvers group (within 3 weeks ) when required for small mount of time (for example 1 hour )
- if one of approvers group approve user request >> user role will be activated for small mount of time (1 hour for example )
- after that role will be expired –> and he has to send request again
- this will help that if user account has been compromised –> so NO risk that will could be used to harm your organization
conclusion
this was briefly overview about PIM
next article we will see how to deploy PIM and how to use to control previvileaged management
please join us there
