Privileged Identity Management

November 2016

Ed Wu, Senior Program Manager

Mark Wahl, Principal Program Manager
Azure Active Directory Premium

Module 1 Product Overview & Feature Information

Module 2 Pre-Requisites and Requirements
Module 3 Technical Deep Dive & Demo to Deploy Feature
Module 4 Support & Troubleshooting
Module 5 Drive Usage
Module 1
Overview
• What is Privileged Identity Management (PIM)
• Why use PIM – what are the business value?
• What are the features of PIM?
• How does it work?

1/8/2020 4
What is PIM?
Mobile-first, cloud-first reality
63%
Data breaches
63% of confirmed data breaches
involve weak, default, or stolen
passwords.
80%
Shadow IT
More than 80 percent of employees
admit to using non-approved
software as a service (SaaS)
applications in their jobs.
0.6%
IT budget growth
Gartner predicts global IT spend
will grow only 0.6% in 2016.
All the commonplace attacks exploit privileged accounts:

Stolen admin Malicious service

Insiders
credentials provider staff

Administrator privileges 20 years ago we gave

will be compromised: the administrator
social engineering, the keys to the kingdom;
bribery, private initiative we can’t just take it away
 Someone adds
Joe’s account
Joe needs Joe’s account to
remains in
permissions to the “Domain Joe logs in, is a Joe completes
“Domain
manage Admins” group “Domain Admin” task
Admins” group
Exchange in Active
indefinitely.
Directory
 Someone adds Joe’s Joe’s account
Joe needs permissions to account to the Joe logs in, is a remains in “Domain
Joe completes task
manage Exchange “Domain Admins” “Domain Admins” Admins” group
group in AD indefinitely.

Someone adds Joe’s

Joe’s account
account to the Joe logs in, is a
Joe needs permissions to remains in “Global
“Global “Global Joe completes task
manage Exchange Online Administrator” role
Administrator” role Administrator”
indefinitely.
in Azure AD
CLOUD-POWERED PROTECTION

Discover, restrict, and monitor privileged identities

Enforce on-demand, just-in-time administrative access when needed

Provides more visibility through alerts, audit reports and access reviews

Global Billing Exchange User Password

Administrator Administrator Administrator Administrator Administrator
 Fewer permanent
privileged admins

•1. Require MFA for login, or

if can’t for all apps, at least
for role activation
Enabling “just in time” •2. Ask users to provide
activation justification – why are they
using this role?
•3. Remove users from roles
if they’re not needing them
Why use PIM?
CLOUD-POWERED PROTECTION

Reduces exposure Simplifies Increases visibility

to attacks delegation and finer-grained
targeting admins control

Removes unneeded permanent Separates role administration Enables least privilege role
admin role assignments from other tasks assignments

Limits the time a user has admin Adds roles for read-only views Alerts on users who haven’t
privileges of reports and history used their role assignments

Ensures MFA validation prior to Asks users to review and justify Simplifies reporting on admin
admin role activation continued need for admin role activity
 •Permanent privileged •Attack surface increases as
identities are high-value cloud service usage
targets promising a large increases because more
return on investment to users get added and left in
attackers highly privileged roles

•Organizations and •PIM separates role

governments require management from policy
auditing of roles management
What are the features of PIM?
 Just In
Roles Dashboard
Time

Alerts Reports
New Roles:
• Privileged Role Administrators (PRA):
Change role assignment in MSODS/Read-
write in PIM
• Security Administrators: Read reports and
manage security settings in MSODS/Read-
only in PIM
• Security Reader: Read security information
and reports in MSODS/Read-only in PIM
• Identity Protection Center and other Azure
security features will be adding support for
the Security Reader and Security
Administrator roles.
PIM Onboarding leaves role members as
Permanent (default):
• Individual role members can be selected
and made temporary or removed from the
role

https://azure.microsoft.com/en-
us/documentation/articles/active-directory-
privileged-identity-management-roles/
 • Activation period 1 hour (default) – 72 hours
Manage Role • Email notifications sent to admins upon role activation

Settings •
•
Ticketing information required to Activate
MFA verification required before Activation

Role • Role members with Temporary membership must activate their

Activation membership

Audit History • Tracks changes in privileged role assignments and role activation history

Access • Can be performed by a Privileged Role Administrator or by the role

members
Reviews • Members indicate if they still require role membership or not
 Things To Know
• Only Privileged Role Administrators can
manage role membership
• Global Admin that enables PIM becomes a
member of Privileged Role Administrator
and Security Administrators roles
• All role memberships default to Permanent
when PIM is enabled
• Temporary members are only visible in PIM’s
‘Manage privileged roles’ blade. Azure AD
PowerShell will not display temporary
members
Limits
• PIM cannot be disabled. ICM can be filed
with support team to escalate to product
group to Suspend
• Adding users to a role in AUXUI & Azure AD
Power Shell makes them Permanent:
• Up to 5 minute delay until PIM AAD Sync
monitor discovers changes from MSODS
and syncs to PIM DB
• Legacy APIs like Get-MSOLRoleMember only
shows Permanent/Active members
• Cloud Service Providers (CSPs) can’t manage
PIM
 The role is inactive until
Historically, you could Eligible admins should the user needs access,
As a result, that user Azure AD Privileged
assign a user to an be users that need then they complete an
becomes a permanent Identity Management
admin role through the privileged access now activation process and
admin, always active in introduces the concept
Azure classic portal or and then, but not every become an active admin
the assigned role of an eligible admin
Windows PowerShell day for a predetermined
amount of time
o

o
Reports about Changes in
administrator administrator
access history assignments
How does it work?
CLOUD-POWERED PROTECTION

How time-limited activation of privileged roles works

SECURITY
ADMIN

Users need to activate their privileges to perform a task

ALERT

MFA is enforced during the activation process Configure Privileged

Identity Management

Alerts inform administrators about out-of-band changes

Identity
ADMIN PROFILES Monitor
verification
Billing Admin
Users will retain their privileges for a pre- Global Admin Audit
configured amount of time Read only
USER MFA Service Admin
Access reports
Security admins can discover all privileged
identities, view audit reports and review everyone
who has is eligible to activate via access reviews

PRIVILEGED IDENTITY MANAGEMENT