Privileged Identity Management : The initial Configuration

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Table of Contents

introduction

in second article of PIM : we will see how to setup initial configuration for PIM before get some examples  of how to use PIM best practice 

let us  go 

who can enable PIM

any member of Global Admin Role can enable PIM 

when he enabled PIM >> he will be added to (Privileged Role Administrator )

 

as seen above : bisan and ahmad are global admin >> they are the ONLY who can enable admin

enable PIM

to enable PIM : 

log in to azure portal 

search for Privileged Identity Management

click consent 

For Better View > Open Image in different TAB

who can Manage PIM

as we mentioned above 

any member of Global Admin Role can enable PIM (Bisan or Ahmad) 

BUT when Bisan enabled PIM >> she will become PIM Admin 

what does this mean ?

it means that (BISAN ) is  the first global admin who enable PIM can ONLY manage PIM >>

and the other Global admins ( Ahmad) members couldn’t manage PIM unless first admin allow them 

post enable PIM steps

ther eis couple of steps should be done after enable PIM , including but NOT limited to :

  • start discovery process to check which users has high privileged role in your organization 
  • remove admins that are  NO longer needed
  • don’t lock your self 
  • create emergency account ( break glass account ) which we have fully discussed in previous article of this series identity protection 
  • you must decide which users should get the eligible role versus the permanently active role.
  • generally : as much as possible try to make global admin as (eligible admin ) rather than ( permanent admin ) >> regarding eligible admin : we will fully discuss next article 
  • use access review technique to control who can use privileged role  
  • work with subscription/resource owners of critical services to set up Privileged Identity Management workflow for all roles inside sensitive subscriptions/resources.
  •   When planning, consider assigning a role to a group to manage role assignments when: you Many users are assigned to a role or  You want to delegate assigning the role
  •  bring Azure AD role-assignable groups under management by Privileged Identity Management
  •  

most Azure AD roles manage by PIM

It’s important to prioritize protecting Azure AD roles that have the most permissions.

microsoft said that Based on usage patterns among all Privileged Identity Management customers, >> the top 10 Azure AD roles managed by Privileged Identity Management are:

  1. Global administrator
  2. Security administrator
  3. User administrator
  4. Exchange administrator
  5. SharePoint administrator
  6. Intune administrator
  7. Security reader
  8. Service administrator
  9. Billing administrator
  10. Skype for Business administrator

conclusion

NOW PIM is ready to use 

next article we will see how to assign eligible privileged role to users 

 

please join us there 

Share this post
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

About Me

Maher Mustafa islaieh

Our Power in Numbers

 17 

Courses

321

Articles

3,882

Images
and All configurations images are proudly made in Pioneers Lab

Articles By Course

Recent Articles

Subscribe

Contact us

have a challenge ? don’t hesitate to contact us