Using Microsoft Privileged Access Management for Just-in-Time Administration

Microsoft Privileged Access Management, which strips the privileges from a privileged account, can help achieve IT security objectives.

Brien Posey

April 12, 2021

3 Min Read
Using Microsoft Privileged Access Management for Just-in-Time Administration

When it comes to IT security, there are three main objectives that organizations need to be focused on. Microsoft Privileged Access Management (PAM) can go a long way toward helping an organization to achieve them.

The three objectives are:

One of the things that makes it so difficult to fully achieve the objectives listed above is the need for privileged accounts. After all, it is impossible to perform routine, day-to-day IT management tasks without the use of privileged accounts. At the same time, if attackers gain access to one of these privileged accounts, they can do massive damage to the organization.

Microsoft Privileged Access Management works by stripping the privileges from a privileged account. When an administrator needs to perform an activity that requires privileged access, the administrator must request permission to do so. Upon receiving the necessary permission (which can be granted manually or automatically), the administrator’s account receives the required permissions, but only for a limited amount of time. So, if attackers do manage to compromise a privileged account, the account is of almost no use to them because it does not have any privileges associated with it.

In a Windows Server environment, Microsoft Privileged Access Management is based on the use of a Group within a separate bastion forest in Active Directory. Initially, the admin is removed from any administrative Active Directory groups, thus causing the user to be treated as a standard user rather than an administrator. When a user needs to perform a privileged operation, he or she uses either a special website or a PowerShell command to request authorization to perform the operation. When the request is approved, the user’s account is added to a privileged group within the bastion forest. This causes the bastion forest to issue a time-limited Kerberos Ticket Granting Ticket. The user’s privileges are revoked once the ticket’s time to live (TTL) expires.

Microsoft Privileged Access Management is tied to Windows Server, but Microsoft has also made PAM available to Microsoft 365 subscribers. As such, an organization can use PAM to protect its Microsoft 365 environment, even if it does not have an on-premises Active Directory implementation.

The process of setting up Microsoft Privileged Access Management for Microsoft 365 is relatively straightforward, although the step-by-step process is beyond the scope of this article.

As you can see in Figure 1, Microsoft exposes PAM through the Azure Active Directory Admin Center.

PAM 1.jpg



Figure 1

PAM can be configured through Azure Active Directory.

Microsoft provides a handy quick start for privileged identity management, directly through the Azure Active Directory Admin Center. You can see what this looks like in Figure 2. You can even use the Azure Active Directory Admin Center to review pending requests and to grant or deny those requests.

 PAM 2.jpg


Figure 2

This is the quick start for privileged identity management.

Instructions for configuring the M365 environment to use Microsoft Privileged Access Management are available here

Read more about:


About the Author(s)

Brien Posey

Brien Posey is a bestselling technology author, a speaker, and a 20X Microsoft MVP. In addition to his ongoing work in IT, Posey has spent the last several years training as a commercial astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like