As a general security best practice, it’s best to operate and manage IT infrastructure under the least privilege principle. Doing this on premise has often been problematic as it involved either a manual escalation process (Run As) or a custom automated process to achieve. The Run As approach is typically not ideal as even those secondary accounts have generally way more privileges than required to perform administrative tasks on systems. PowerShell Just Enough Administration definitely helps in that regard but today I will cover Azure’s take on this problem by covering the basics of Azure Privileged Identity Management (PIM).
With Azure PIM, you will have better visibility on the privileges required to manage your environment. It’s fairly easy to get started and to use so I highly encourage you to adopt this security practice in your environment, especially if you are just getting started with Azure in general.
Initially, Azure Privileged Identity Management (PIM) only covered privilege escalation for Azure Active Directory roles. This changed when Microsoft announced they are now covering Azure Resource Manager resources as well. This means you can now do just in time escalation of privileges to manage things like subscriptions, networking, VMs etc. In this post, I’ll cover the Azure AD roles portion of Azure PIM.
To quickly get started with Azure PIM with Azure AD roles, you can simply login to the Azure Portal and start assigning users as eligible to specific Azure AD roles. To achieve this, you go to the Azure AD Directory Roles section.
Once in the section, you can now go in the Roles section to start making users eligible to specific Azure AD roles by clicking the Add user button. A thing to note, is that you can only assign roles to specific users, not to a group.
Once you have specified a user as eligible to a role, that user can now activate it. To do this, they simply have to go in the Azure PIM section of the Azure Portal and pick My Roles. The user can then select the appropriate role to activate in order to perform the desired administrative task.
When you activate a role, you will be prompted to enter a reason as to why you need to elevate your privileges. This is generally good practice as it will allow the persons reviewing the escalations to understand why certain high privileges had to be used to perform a task.
Now that we have covered the basics to quickly get you started with PIM. We can dive a bit into how that experience can be customized. Here are the configuration options for an Azure AD role:
- Maximum Activation duration: When the user activates a role, how long should it remain activated? A shorter duration is desirable for security reasons.
- Notifications: Should an email be sent to an administrator when a role is activated? This can also give the admin a feeling as to whether an admin role is abused. i.e. Why use Global Admin when its not necessary to perform task X?
- Incident/Request Ticket: You could enforce a support ticket number to be entered with each activation. This can be useful if you really need to close the loop as to why elevation is required. i.e. Need to change a setting to apply a change request or resolve an incident #####.
- Multi-Factor Authentication: A user will need to be enrolled in Azure MFA in order to activate a role.
- Require approval: When this is enabled, an admin will need to approve the activation for a user. This might be useful for high privilege roles such as Global Admin where you don’t want to have abuse of privileges. It also documents the full process better. i.e. User X asked for elevation and admin Y approved the request.
From an operational standpoint, you can also get alerts for the following things:
Out of those alerts, you can tune the thresholds in order to match your organization requirements:
- For There are too many global administrators alerts, you can define the number of allowed global admins and the percentage of global admins versus the total number of administrators configured.
- For Roles are being activated too frequently, you can specify the maximum duration between activation and the number of acceptable activation during that period. This could be useful to flag users that simply activate all roles for no good reasons just to make sure they have the required privileges to perform a task.
You can also configure the Access review functionality which specifies how you want to review the user activation history in order to maintain a tight ship security wise. You can configure the access review with the following settings:
- Mail notifications: Send an email to advise an administrator to perform the access review
- Reminders: Send an email to advise an administrator to complete an access review
- Require reason for approval: Make sure the reviewer documents why an activation was approved/makes sense.
- Access review duration: The number of days between each access review exercise (default is 30 days).
Once all this is configured, you can monitor the activation/usage of roles using the Directory Roles Audit History section:
I hope this quick introduction to Azure Privileged Identity Management was helpful. Should you have any questions about this, let me know!