Q. What is Azure AD Privileged Identity Management?
A. Identity solutions typically all struggle with one major problem, too many administrators. There are many instances where certain actions or projects require users to have administrative privileges and wherever possible those privileges should be granular to only the resources that are pertinent to the actions and only for a short amount of time however since this requires sophisticated processes and workflows what normally happens is users are given full administrative permissions on a permanent basis which is a huge risk from both deliberate and accidental actions.
Azure AD Privileged Identity Management (PIM) brings a solution for Azure AD environments that enables users to be granted certain roles related to Azure AD that are for a certain amount of time and only when activated by the user assigned to the role. Full auditing of the activation of roles is available with detailed logging.
The feature is installed by adding Azure AD Privileged Identity Management (PIM) from the Azure marketplace which once activated will make the current user a Security Administrator for Azure AD PIM which is a role that will need to be activated each time changes to Azure AD PIM are required. When the feature is first configured all existing users who are assigned the roles covered by Azure AD PIM will be displayed and you choose if the users:
- Keep the role permanently
- Lose the role
- Can activate the role for a time-limited period when required, i.e. they have the role on a temporary basis
Users who have roles they can activate will add the Azure AD PIM to their dashboard and use it to activate their available roles as shown below:
Each of the supported roles can have their own configuration related to the duration of the role granting to the user, if the user is notified via email of the activation and if MFA is required when the role is activated.
Using this feature helps enable just-in-time administration for your Azure AD environment.