AAD Privileged Identity Management - Coffee with Conrad

The following is a recap of Agile IT’s second episode of Coffee with Conrad, where we explored Azure Active Directory’s Privileged Identity Management Functions.

• How Just in Time and Just Enough Access removes the need for generic admin accounts and permits more detailed logs required by NIST 800-171 and CMMC.
• How automatic Access Reviews help assure that only those who need access have access.

---

One role that stands out for many organizations is the global administrator. This role creates access or anything. It’s a very powerful role with supreme visibility and access rights throughout your enterprise. Within Microsoft, there are natural roles for user management such as a security administrator that have a focused set of activities. The problem is that when you assign a user to that role, they have those permissions for as long as you give it to them. Sometimes, you need the right access level for the right person at the right time, and not a moment longer. You may want to limit how long that person has access in that role.

Azure Active Directory

Enter Azure Active Directory (AAD) Privileged Identity Management (PIM), a capability that requires a P2 license. It helps you limit business controls for an appropriate period of time.Automated user provisioning

What PIM does is give you the ability to assign someone a role for a limited amount of time (defined by you) and set how many times per day they have those permissions. When they activate it, they then justify their use, and log and record that justification. A user submits a request to be a global administrator that then escalates to an approver who has the ability to stop them. You can grant privileged role membership for a limited period of time. When a request is made, it can notify others in the same role that someone else has made the request.

The Power of Access Review

This also triggers an access review, another key feature of PIM. Access review is when PIM regularly emails those people assigned to a specific role to ask for justification for their continued performance in the role. You can set the amount of time they have to provide justification. If they don’t respond, their role is removed. If they do respond, you can then either approve their permission or change their role. All of this activity is logged.

PIM allows you to control permissions and capabilities so users aren’t left with too much responsibility. This is especially useful if you’re in an industry such as finance or healthcare with many regulatory requirements. When a person needs rights, they’ll provide justification, create a ticket number with the person’s justification for the enhanced role, and have an expiration for when they no longer require those rights.

You can set up approvers and documentation. It’s not a capability that makes your end-users more productive, necessarily. But it does give you good business controls and visibility into who has what administrative permissions. You’re able to give people just-in-time and just-enough access they need but with controls in place.

Duration Configuration

Yes. For every role, there’s a default setting but you can define your own duration. A good rule of thumb: the more power or capabilities a role has, the shorter the window should be for access. There’s also a “global reader” role that can see everything a global administrator can, but can’t change it. You can activate the global reader role for someone to see the settings and configuration. They may not need to make a change. If they do, they can be elevated to a global administrator.

Does Proper Implementation Remove the Need for Separate Generic Administrator Accounts?

Photo of a young woman’s face as she contemplates one of the many computer monitors that surround her.[/caption] PIM does represent a great way to get rid of extraneous administrator accounts. With PIM, users don’t need a high level of permission unless it’s a part of their everyday job. They also don’t need to have two accounts. Having conditional access for a shorter duration makes more sense than establishing an admin-only account for them.

How Does This Work for Organizations Dealing With Regulatory Frameworks Such as CMMC?

Regulatory frameworks like CMMC never give you roles for how to maintain compliance. With PIM, you can track, log, review logs, and control access from one place.

Do PIM Users Need Additional Licensing?

They don’t. Generic roles all map to AAD. A P2 license covers everything. That’s the only thing you’d need to make this work for you.

Can You Use PIM for Other Administrator Roles?

Anything that’s a default role baked into AAD is available. Every one of them has an associated reader. Those reader roles are great for managers who are responsible and may only need to review rather than make changes. One of the challenges of adopting PIM is that it can add extra steps for administrators or those needing administrative access. That’s a good thing, however. This isn’t necessarily going to make their lives easier. But this extra step will increase their accountability. This isn’t necessarily fun for them at the beginning because it can slow them down. But sometimes, slowing these users down is needed to ensure they only have global administrative access for exactly as long as they need it. It’s an organizational benefit.

In Agile IT’s Migration, Were End-Users Affected or Just Administrators?

Only the administrative team was affected, and the transition was complete after about a two-week period. End-users are generally not affected unless they require some sort of global administrative access.

Learn More About Privileged Identity Management

Adopting Privileged Identity Management forces your organization to examine who needs what type of access and for how long. For example, if you have three administrators, you may ask yourself: do they all need global administrator rights? Sometimes they do. PIM helps you give them access at the specific times they need it, and not a second longer. You also have logs and justification for why everyone has the access level they have.