15. Planning, Implementing Privileged Access and Access Reviews

Understanding Privileged Identity Management (PIM)

Traditionally we use RBAC to manage administration privileges. We assign privileges to a role, then give a user that role. PIM takes things to another level

What is PIM?

PIM allow you to manage, control and monitor access to resources in your organisation.

These resources include: Azure AD, Azure, O365, Intune etc…

PIM allows you to set:

• Who gets access
• When they get access
• Do they have to request access
• And more

PIM plays a role in controlling access to:

• SaaS
• PaaS
• IaaS

PIM can be used to give someone admin access to a certain part of your Microsoft environment  temporarily for a certain amount of time. EG: giving a junior admin rights to create new users while the senior admin is on holiday leave. You don’t have to remember to remove the access when they return so it increases security

Just-in-time security involves granting a user access to a specific system or database for a limited amount of time.

Key Features of PIM

• Setup just-in-time admin access to Azure AD
• Create time bound access to resources using start and end dates
• Enforce approval to activate privileged roles
• Enforce MFA to activate a role
• Utilise justification to understand why users activate
• Get notifications when roles are activated
• Conduct access reviews to ensure users still need roles
• Get audit history for internal or external audits

Roles Required for Managing PIM

• Only a user who has the Privileged role administrator or Global administrator role can manage assignments for other administrators
• You can grant access to other admins to manage PIM
• Global admins, Security admins, Global readers and security readers can also view assignments to roles in PIM

Licences

Using this feature requires an Azure AD Premium P2 licence

Implementing & Configuring PIM

Looking at your PIM settings:

1. Go to Azure portal -> All services – search for Privileged Identity Management
2. From here you can look at your own roles, requests and approvals
3. Go to “Azure AD Roles”
4. Here you can activate  roles, assign eligibility, approve requests and view your history
5. Go to Settings: here you can see the list of roles and if you have modified any
6. Go to Assignments: here you can view and add assignments
7. Role Settings: here you can adjust settings for the role (require justification, max activation time etc…)

Making a user a “User administrator”:

• Go to Azure portal -> All services – search for Privileged Identity Management
• Go to Azure AD Roles -> Manage -> Roles
• Go to the “User administrator” role
• Click “Add assignment”
• Select Member: select the user
• Click next to go to Settings
• Settings:
  – Assignment Type: Eligible or Active
  – Permanent eligible or else set a start and end date
• Click Assign

Activating PIM roles as a User

Now that we have assigned a role to the user, we will go through to activate their PIM role:

1. As the user, Go to Azure portal -> All services – search for Privileged Identity Management
2. Go to “My Roles”
3. Under Eligible roles you will see the User Administrator role. Click on Activate
4. If additional verification is required there will be a link for this

Analysing PIM Audit History Reports

1. Go to Azure portal -> All services – search for Privileged Identity Management
2. Go to ‘My audit History’
3. Here you can see the logs when someone gave a role to someone else, and when the roles were activated. You search and filter the logs and then export them to CSV

Break Glass Accounts

This is an account that can save you in the case that you accidentally lock your account out.

Its also known as an emergency access account

Why use an emergency access account?

• You use a 3rd party authentication system and it goes down
• Administrators cant login using MFA because the phone network is down

Guidelines for creating an emergency access account

• This account should not be associated with any individual user in the organisation
• The authentication mechanism should be different than that used by other admin accounts. It should be a standard password, but a very difficult password
• The device or credential must not expire
• This role assignment should be permanent

Store account credentials safely

• If written down, separate into 2 or 3 parts, on different pieces of paper, in a fireproof safe in a secure location
• Make the passwords should be at least 16 characters long and randomly generated

Implementing and Configuring Access Reviews in Azure AD

Creating an Access Review for Guest users

1. Go to Azure AD -> Identity Governance -> Access Reviews -> New Access Review
2. Review Type:
   – What to review: Teams and Groups -> Select “All M365 groups with guests”
   – Select Review scope: “guest users only”
3. Reviews:
   – Select reviewers: group owners, Specific users, managers of users
   – Recurrence of reviews: number of days
   – Review recurrence: quarterly, fortnightly etc…
   – Start Date
   – End date
4. Settings:
   – Auto reply results to resource: if enabled this will revoke users access automatically
   – If reviewers don’t respond: remove access , approve access, make no change
   – Send notification to
   – Review decision helpers: if the reviewer hasn’t signed in for 30 days
5. Advanced settings:
   – which info will you gather when running access review