Search
  • Nathan

All about Azure Privileged Identity Management (PIM)

Updated: Oct 31

Introduction

PIM Assignments

- Eligible Assignments

- Active Assignments

What can PIM manage?

- Azure AD Roles

- Azure AD Groups

- RBAC Roles on Azure Resources

Conclusion

References

Introduction


Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization.


PIM can manage access to 3 different types of resources:

  • Azure AD roles

  • Azure AD groups

  • RBAC roles on Azure Resources

With regards to this blog post, I will only be covering the above features. However, PIM also includes other features that will not be covered here, such as:

  • Automatically generating alerts when there is suspicious activity in your Azure AD

  • Using audit history to see and review all of the Assignments and Activations

  • Performing on-demand or scheduled access reviews of critical roles

Some examples of things you could do with PIM:

  • You hired a contractor for a 3 month contract. They need access to Azure AD in order to do their job. You could use PIM to assign the contractor to the Azure AD "Global Administrator" role, and you could have the assignment end on the exact date that the contract ends.

  • You created a special group in Azure AD and then gave that group access to a multitude of things in your environment. You could use PIM to control who is a member of that group. You could even use PIM to allow certain people the ability to request 'just-in-time' (JIT) access to that group.

PIM is very powerful and these are just a couple of examples of what it can do.


Unfortunately, PIM is not free. Azure AD Premium P2 licensing is required for all users who will be managed by PIM.

PIM Assignments

When using PIM to control access to resources, it essentially all boils down to making PIM "Assignments." PIM supports two different types of assignments: Eligible and Active.



Eligible Assignments

  • You can add Users or Groups to an Eligible Assignment.

  • Eligible Assignments require the user to take action. Users must manually activate the Assignment before it goes into effect.

  • Depending on the settings that are configured, there may be other requirements as well, such as requiring the user to type in a reason why they need the role, or requiring the user to authenticate with MFA.

  • An Eligible Assignment may also be configured for approval first, so before the assignment takes effect an administrator will first need to approve it.

Eligible Assignments can be:

  • Permanent, meaning the user will always be able to activate it when needed.

  • For a fixed time frame, meaning the user can only activate during a specific start date and end date.


Active Assignments

  • You can add Users, Groups, or Service Principals to Active Assignments.

  • Active Assignments do not require any action from the user.

Eligible Assignments can be:

  • Permanently assigned, meaning the user gets the role forever.

  • For a fixed time frame, meaning the user gets the role only during a specific start and end date.

What can PIM manage?



1. Azure AD Roles


PIM can help you manage access to Azure AD roles.

  • You can control both built-in roles and custom roles.

You can assign Users, Groups, or Service Principals to an AzureAD role.

  • Note: You can only assign groups that were originally created with this option enabled: "AzureAD roles can be assigned to the group."

  • Note: Service Principals only support Active Assignments, they do not support Eligible Assignments.

Depending on the Azure AD role that you select, you may or may not be able to pick a particular Scope. A majority of the roles are scoped to Directory and there is no way to change that. However, some roles allow you to pick from multiple different Scopes. For example, the User Administrator role allows you to choose Directory or Administrative Unit as the Scope. Likewise, the Application Administrator role allows you to choose Directory, Application, or Service Principal as the Scope.



2. Azure AD Groups


PIM can help you manage access to Groups in Azure AD.

  • This feature is still in Preview, so what I say about it below may change.

  • In the Portal this is called Privileged Access Groups.

  • You can control Security or Microsoft 365 groups. You can NOT control synced groups.

  • The group you want to control must have been originally created with this option enabled: "AzureAD roles can be assigned to the group."

You can assign Users, Groups, or Service Principals to an Azure AD Group.

  • Note: Service Principals only support Active Assignments, they do not support Eligible Assignments.

  • Note: Microsoft does NOT recommend assigning a group to a group with PIM (nesting groups), however, it is technically possible to do so.

For the Scope of the group in question, you can assign objects to be a Member of the group, or you can assign objects to be an Owner of the group.



3. RBAC Roles on Azure Resources


PIM can help you manage who is assigned to RBAC Roles on your Azure Resources.

  • In the portal this is simply called Azure Resources.

  • You can control RBAC roles on 4 different types of resources: Management Groups, Subscriptions, Resource Groups, or individual Resources. You can use both built-in roles and custom roles.

You can assign Users, Groups, or Service Principals to a particular RBAC role on a particular Resource.

  • Note: Service Principals only support Active Assignments, they do not support Eligible Assignments.

Conclusion


There is a lot more to PIM that I could write about. I may eventually do a part 2 of this article, including topics such as automating PIM through PowerShell, how to enable and configure PIM settings on the 3 different types of resources, as well as how to create Assignments for the 3 different types of resources. So, be on the look out!

References:

- Plan a PIM deployment

- License requirements to use PIM

52 views