Active Directory & Office 365 Reporting Tool

Azure AD Privileged Identity Management: Manage & Monitor Privileged Accounts. Do you want to minimize cyber attacks on your IT infrastructure using Azure AD Privileged Identity Management (PIM)? Use this article as your guide.

Well, Azure Active Directory PIM requires a license to use. So, we begin this article by explaining the licensing options.

Following that, we explain what Azure AD PIM is and why you need this feature. Additionally, you learn how to set it up to safeguard your Azure AD infrastructure.

Finally, the article discusses privileged access requests and authorizations. 

Options for Azure AD Privileged Identity Management Licensing

Before implementing Azure AD PIM, ensure you have the appropriate subscription. Specifically, you must allocate one of the subscriptions below to users that request or authorize privileged access.

If you have any of these licenses – Microsoft 365, Office 365, OneDrive for Business, Exchange, or SharePoint – consider purchasing a Microsoft 365 E5 Insider Risk Management add-on. Alternatively, subscribe to Microsoft 365 E5 or Microsoft 365 A5.

See the complete list of licensing options

To purchase a new subscription or add-on, sign in to admin.microsoft.com. Go to the menu and select “Marketplace.”

Finally, click the “All products” tab and search for the desired product to subscribe to.

What is Azure Active Directory Privileged Identity Management (PIM)?

To understand Azure AD PIM, you need to learn about privileged identities. Azure AD privileged identities are accounts with built-in security or admin permissions.

In simple terms, privileged identities or accounts have more privileges than regular user accounts. This means that, if higher privilege accounts are compromised, they pose a greater risk than compromised regular user accounts.

Why? Because privileged accounts potentially modify all resources within an Azure AD environment.

Let’s discuss 2 most critical Azure AD built-in roles: Privileged Role Admin and Global Admin. Users assigned these roles directly or indirectly modify all Azure resources.

Beyond Azure AD, there are 3 other roles with resource level privileged access: Owner, Contributor, and User Access Admin.

Compromising any account with these roles puts a business’s IT infrastructure at a higher risk. Therefore, it is crucial to protect these privileged access roles.

This is where the Azure AD PIM comes in handy. 

Azure AD Privileged Access Management (PIM) safeguards accounts with admin level permissions in Microsoft 365. This service allows IT organizations to manage, control, and monitor access to vital resources.

The central idea behind this solution is to limit the number of users with admin permissions. Azure AD PIM achieves this by controlling and monitoring users granted these higher level permissions. 

Why Manage, Control and Monitor Azure AD Privileged Accounts

A hacker gaining control of a privileged account may immediately cause harm to your IT infrastructure. 

Therefore, adding an extra layer of protection to accounts with privileged roles makes sense. Azure AD PIM provides this additional layer of security by requiring users who need to perform elevated tasks to submit a Just-In-Time access request.

When a user requests privileged access, a user in the approver’s group must approve or reject the request. Additionally, all administrative permission requests via the Azure AD PIM workflow are monitored.

Managing and monitoring users with higher resource permissions gives IT organizations control over those accounts. This reduces the potential for the accounts to be breached.

How to Setup Privileged Identity Management in Azure AD

Ensure that you have the required subscription. If you already possess a compatible license (refer to the licensing section), consider initiating a 90 day Microsoft 365 E5 Insider Risk Management add-on trial.

After that, follow the subsequent subsections to configure Azure AD Privileged Access Management.

Task 1 of 4: Create a Group for Request Approvers

Therefore, the first step in setting up Azure AD PIM involves identifying users in this group.

Subsequently, follow these steps to create a mail-enabled security group in the Microsoft 365 portal:

1. Open admin.microsoft.com and sign in. Expand the “Teams & groups” menu and select “Active teams & groups.”

2. Click “Add a group” and then choose “Mail-enabled security” under the “Choose a group type” section of the “Add a group” workflow. Proceed by clicking “Next.”

3.Next, provide a name and description for the group. Add owners and members, set an email address, and review the details before clicking “Create group.”

Also create mail-enabled security groups on the Exchange Online admin portal. To do this, go to Recipients -> Groups and click “Add a group.”

Furthermore, it is necessary to mention that mail-enabled groups cannot be created in the Azure AD portal. However, you can still access and view all groups (including mail-enabled groups) created in the Exchange Online or Microsoft 365 portals through the Azure AD portal.

Task 2 of 4: Enable Privileged Access and Assign Approvers Group

1. Click “Show all” in the Microsoft 365 admin menu. Then, expand Settings and click “Org Settings.”

2. Then, click the “Security & privacy” tab, and select Privileged access

Important note: Please ensure that you have the required license, as Privileged access is listed otherwise. 

3. On the “Privileged Access” flyout, check the “Allow privileged access requests and choose a default approval group” checkbox. Then, select the mail-enabled group you created in Task 1. 

Finally, click the “Save”. 

Note: enable privileged access and assign the approver’s group using PowerShell

Task 3 of 4: Create and Azure AD Privileged Access Policy

Now that you’ve created an approval group and enabled privileged access, you need to configure policies that define privileged tasks people request authorization to perform. To proceed, follow the steps in the last section until you get to 3. 

Then, on the flyout, click “Create policies and manage requests.”

Next, follow these steps to create a new privilege access policy:

1. Click the “Manage policies” tab. 

Click “+ Add policy.” Next, select a policy type. 

There are 3 policy types:

Task: allows people to request privileged access based on tasks they want to perform. 
Role: users request to be granted roles to perform tasks. 
Role Group: assigns privileged access to requesters based on role groups like “Help Desk,” “Security Admin,” or other role groups. 

For this article, I select Role Group.

Once you’ve chosen your Policy type, select the Scope as “Exchange.” Then, select a Policy name based on your chosen policy type. 

Next, select “Approval type.” If you choose a Manual approval, select the approval group you created in task 1 of 4 in the “Approvers” field.

Finally, click Create.

In my demo, since I created a policy that includes the “Security Reader” role group, users can request this role. 

Task 4 of 4: Manage Privilege Requests and Approvals

The final task is managing requests and approvals.

In the next section, we discuss the entire Azure AD PIM process, starting with how to request authorization. 

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Azure AD Privileged Identity Management Process

After setting up Azure AD PIM, the ongoing management workflow is as follows:

A user requests just-in-time PIM authorization -> a user in the PIM approvers group reviews the request, -> the approver approves or denies the request. 

In the following subsections, we explore the steps to perform the tasks in the PIM workflow. 

Step 1: A Request a Privileged Access Authorization

When a user submits a privileged access request, it remains valid for 24 hours. However, if the request is neither approved nor denied within that timeframe, it expires after 24 hours.

Here are the steps users follow to submit a privileged access request:

1. The admin user signs in to admin.microsoft.com
2. Then, navigate to Show all -> Settings -> Org settings. 
3. Once at the “Org settings” page, click the “Security & privacy” tab and select Privileged access
4. After that, Microsoft 365 displays a “Privileged Access” flyout – click Create policies and manage requests.

5. Then, click “+ Request access.” Finally, complete the request’s fields and click Create. 

Step 2: An Approver Views the Status, Approves or Denies the Requests

If you’re an Azure AD Privileged Identity Management approvers group member, open the Privileged access requests page in Microsoft 365. Next, click on the request you want to view.

Finally, approve or deny the request. 

How to Completely Disable Azure Privileged Access

If your organization no longer requires Azure AD PIM, follow these subsections to disable the service. 

Step 1 of 3: Disable Privileged Access

On the Microsoft 365 admin portal, navigate to Show all -> Settings -> Org settings. After that, click the “Security & privacy” tab and select Privileged access.

Finally, uncheck the “Allow privileged access requests and choose a default approval group” checkbox – then, click Save to complete the process.

Step 2 of 3: Remove Azure AD Privileged Access Policy

From the “Privileged Access” flyout, click “Create policies and manage request.”

Then, click the “Manage policies” tab, and click on the policy you want to remove. Finally, click “Remove policy.”

Step 3 of 3: Delete the Default Approvers Group

Delete the mail-enabled security (approvers) group in the Microsoft 365 portal. Alternatively, complete the task from the Exchange Online portal.

To delete a group in the Microsoft 365 portal, follow these steps:

1. Navigate to “Teams & groups” -> “Active teams & groups”.
2. Then, click the “Mail-enabled security” tab.
3. Next, select the group you want to delete.
4. Finally. click “Delete group.”

On the other hand, in the Exchange Online portal:

1. Expand “Recipients” and select “Groups.”
2. Then, click the “Mail-enabled security” tab and select the group.
3. Finally, click “Delete group” to complete the task.

How to Monitor Azure AD Privileged Identities

Monitoring Azure AD Privileged Identities gives you helpful information about their access activities, security risks, and potential vulnerabilities. Furthermore, monitoring empowers you to make informed decisions about access controls, privileged account management and incident response strategies.

Fortunately, the Microsoft 365 infrastructure offers a range of monitoring tools. Here are some of the monitoring tools to investigate privileged account activities:

1. Azure Active Directory sign-in logs.
2. Audit logs in Azure AD.
3. Microsoft 365 Audit logs.
4. Azure Key Vault logging.

Read how to use these logs to monitor and analyse Azure AD Privileged Identity Management activities.

Azure AD Privileged Identity Management: Manage & Monitor Privileged Accounts Conclusion

In conclusion, we explored various sections on Azure AD Privileged Identity Management (PIM) in this article.

Firstly, we discussed the options for Azure AD PIM licensing. Next, the article explained the Azure Active Directory Privileged Identity Management (PIM) concept. Moreover, it emphasized the significance of managing, controlling, and monitoring Azure AD privileged accounts. Additionally, we provided detailed guidance on setting up Privileged Identity Management in Azure AD.

Furthermore, the article outlined the Azure AD Privileged Identity Management process, covering the steps from requesting privileged access to authorizing it. It also presented a comprehensive guide on disabling Azure privileged access when it is no longer required.

Lastly, we underscored the importance of actively monitoring Azure AD privileged identities.

By reading this article, we trust you have gained valuable insights into managing and monitoring privileged accounts in Azure AD.


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *