All about Azure Privileged Identity Management (PIM)
Updated: Aug 23, 2022
- RBAC Roles on Azure Resources
Introduction
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization.
PIM can manage access to 3 different types of resources:
Azure AD roles
Azure AD groups
RBAC roles on Azure Resources
To keep this blog post from getting too big, I will only be covering the above features. PIM includes many more features that I will possibly cover in future blog posts.
Some examples of things you could do with PIM:
You hired a contractor for a 3 month contract. They need access to Azure AD in order to do their job. You could use PIM to assign the contractor to the Azure AD "Global Administrator" role, and you could have the assignment end on the exact date that the contract ends.
You created a special group in Azure AD and then gave that group access to a multitude of things in your environment. You could use PIM to control who is a member of that group. You could even use PIM to allow certain people the ability to request 'just-in-time' (JIT) access to that group.
PIM is very powerful and these are just a couple of examples of what it can do.
Unfortunately, PIM is not free. Azure AD Premium P2 licensing is required for all users who will be managed by PIM.
PIM Assignments
When using PIM to control access to resources, it essentially all boils down to making PIM "Assignments." PIM supports two different types of assignments: Eligible and Active.
Eligible Assignments
You can add Users or Groups to an Eligible Assignment.
Eligible Assignments require the user to take action. Users must manually activate the Assignment before it goes into effect.
Depending on the settings that are configured, there may be other requirements as well, such as requiring the user to type in a reason why they need the role, or requiring the user to authenticate with MFA.
An Eligible Assignment may also be configured for approval first, so before the assignment takes effect an administrator will first need to approve it.
Eligible Assignments can be:
Permanent, meaning the user will always be able to activate it when they need it.
For a fixed time frame, meaning the user can only activate it during a specific start date and end date.
Active Assignments
You can add Users, Groups, or Service Principals to Active Assignments.
Active Assignments do not require any action from the user.
Active Assignments can be:
Permanently assigned, meaning the user has the role forever.
For a fixed time frame, meaning the user has the role only during a specific start and end date.
What can PIM manage?
1. Azure AD Roles
PIM can help you manage access to Azure AD roles.
You can control both built-in Azure AD roles and custom Azure AD roles.
You can assign Users, Groups, or Service Principals to an Azure AD role.
Note: You can only assign groups that were originally created with this option enabled: "AzureAD roles can be assigned to the group."
Note: Service Principals only support Active Assignments, they do not support Eligible Assignments.
Depending on the Azure AD role that you select, you may or may not be able to pick a particular Scope. A majority of the roles are scoped to Directory and there is no way to change that. However, some roles allow you to pick from multiple different Scopes. For example, the User Administrator role allows you to choose a Scope of Directory or Administrative Unit. Likewise, the Application Administrator role allows you to choose a Scope of Directory, Application, or Service Principal.
2. Azure AD Groups
PIM can help you manage access to Groups in Azure AD.
This feature is still in Preview, so be warned!
In the Portal this is called Privileged Access Groups.
You can control Security or Microsoft 365 groups. You can NOT control synced groups.
The group you want to control must have been originally created with this option enabled: "AzureAD roles can be assigned to the group."
You can assign Users, Groups, or Service Principals to an Azure AD Group.
Note: Service Principals only support Active Assignments, they do not support Eligible Assignments.
Note: Microsoft does NOT recommend assigning a group to a group with PIM (nesting groups), however, it is technically possible to do so.
For the Scope of the group in question, you can assign objects to be a Member of the group, or you can assign objects to be an Owner of the group.
3. RBAC Roles on Azure Resources
PIM can help you manage who is assigned to RBAC Roles on your Azure Resources.
In the portal this is simply called Azure Resources.
You can control RBAC roles on 4 different types of resources: Management Groups, Subscriptions, Resource Groups, or individual Resources. You can use both built-in RBAC roles or custom RBAC roles.
You can assign Users, Groups, or Service Principals to a particular RBAC role on a particular Resource.
Note: Service Principals only support Active Assignments, they do not support Eligible Assignments.
Conclusion
There is a lot more to PIM that I could write about. I may eventually do a part 2 of this article, including topics such as automating PIM through PowerShell, how to enable and configure PIM settings on the 3 different types of resources, as well as how to create Assignments for the 3 different types of resources. So, be on the look out!