PIM : Just in Time JIT

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Table of Contents

introduction

PIM enable you to control to  use administrative roles 

just in time ( JIT ) is one of PIM approach that allow you to reduce the of compromising your Cloud organization 

this article we will discuss how to use JIT to control privileged administrative role effectively 

how JIT works

JIT works in the following scenario 

  • PIM admin (who is normally is global admin  like bisan@pioneers101.onmicrosoft.com ) assign eligible role to normal user who need role to perform administrative task  
  • this role is eligible for specific period of time ( for example 1 moth ) 
  • during this month user will  still be normal user 
  • when user need to perform administrative task  >> he will  activate this privileged  for small mount of time ( for example 1 hour ) 
  • after 1 hour (activation period ) >> user will back as normal user without privileged role >> but he can activate this again when needed 
  • after assignment period ( 1 month ) : user will NOT be able to activate privileged role since assignment period expired 
  • user can request to extend assignment period from 1 month to more time ( 3 month) as need which need approve from PIM admin 
as PIM admin open azure portal >> search for PM
currently there is NO exchange admin eligible or activated
select eligible assignment
select users
add user abdulla salamah
user added
assignment type is eligible >> with 1 month
done
role is eligible but NOT activated
role is eligible but NOT activated

step 02- user activate his eligible role

now user abdulla is eligible to activate role 

user abudlla lig to azure portal and search for PIM 

select my role
activate

before activate eligible role >> user must enable MFA to protect his identity 

need to enable MFA
next to enable MFA
select any MFA method : like microsoft oauth app
next
MFA enabled

now user can activate his eligible role 

select activation time : 1 hour for example
eligible role activated

how to verify if eligible role activated

there is so many place to verify if eligible role has been activated 

  • PIM admin will receive notification email 
  • user will also receive notification email 
  • PIM admin can check from PIM role to see which eligible activated 
  • also user will see
  • exchange admin center EAC in his office.com 
PIM admin check role
email sent to users abdulla
email sent to PIM admin
user abdulla see exchange admin center in office.com

deactivate eligible role

let us to say that  user abdulla@netwrokspioneers.com has finish his administrative tasks before activation time expired ( before one hour ) 

 

simply 

he can deactivate role >> and back as normal user without any privileged role 

select deactivate
done

extend eligible role

user Abdulla feel that assignment period ( one month ) is NOT enough and request from basin ( as PIM admin ) to extend period 2 weeks more ( until 15-jan-2021 ) 

 

PIM admin select update
set new end time to 15-jan-2021
done
email sent to user

conclusion

as we see above 

user was able to activate his eligible role without need approval from PIM admin 

next article : we will how to force user to get approval from PIM admin when activate his eligible role 

please keep tuned 

Share this post
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

About Me

Maher Mustafa islaieh

Our Power in Numbers

 17 

Courses

321

Articles

3,882

Images
and All configurations images are proudly made in Pioneers Lab

Articles By Course

Recent Articles

Subscribe

Contact us

have a challenge ? don’t hesitate to contact us