Back

AAD Privileged Identity Management - Coffee with Conrad

The following is a recap of Agile IT's second episode of Coffee with Conrad, where we explored Azure Active Directory's Privileged Identity Management Functions...

5 min read
Published on Jun 30, 2020
AAD Privileged Identity Management - Coffee with Conrad

The following is a recap of Agile IT’s second episode of Coffee with Conrad, where we explored Azure Active Directory’s Privileged Identity Management Functions.

  • How Just in Time and Just Enough Access removes the need for generic admin accounts and permits more detailed logs required by NIST 800-171 and CMMC.
  • How automatic Access Reviews help assure that only those who need access have access.

One role that stands out for many organizations is the global administrator. This role creates access or anything. It’s a very powerful role with supreme visibility and access rights throughout your enterprise. Within Microsoft, there are natural roles for user management such as a security administrator that have a focused set of activities. The problem is that when you assign a user to that role, they have those permissions for as long as you give it to them. Sometimes, you need the right access level for the right person at the right time, and not a moment longer. You may want to limit how long that person has access in that role.

Azure Active Directory

Enter Azure Active Directory (AAD) Privileged Identity Management (PIM), a capability that requires a P2 license. It helps you limit business controls for an appropriate period of time.Automated user provisioning

What PIM does is give you the ability to assign someone a role for a limited amount of time (defined by you) and set how many times per day they have those permissions. When they activate it, they then justify their use, and log and record that justification. A user submits a request to be a global administrator that then escalates to an approver who has the ability to stop them. You can grant privileged role membership for a limited period of time. When a request is made, it can notify others in the same role that someone else has made the request.

The Power of Access Review

This also triggers an access review, another key feature of PIM. Access review is when PIM regularly emails those people assigned to a specific role to ask for justification for their continued performance in the role. You can set the amount of time they have to provide justification. If they don’t respond, their role is removed. If they do respond, you can then either approve their permission or change their role. All of this activity is logged.

PIM allows you to control permissions and capabilities so users aren’t left with too much responsibility. This is especially useful if you’re in an industry such as finance or healthcare with many regulatory requirements. When a person needs rights, they’ll provide justification, create a ticket number with the person’s justification for the enhanced role, and have an expiration for when they no longer require those rights.

You can set up approvers and documentation. It’s not a capability that makes your end-users more productive, necessarily. But it does give you good business controls and visibility into who has what administrative permissions. You’re able to give people just-in-time and just-enough access they need but with controls in place.

Duration Configuration

Yes. For every role, there’s a default setting but you can define your own duration. A good rule of thumb: the more power or capabilities a role has, the shorter the window should be for access. There’s also a “global reader” role that can see everything a global administrator can, but can’t change it. You can activate the global reader role for someone to see the settings and configuration. They may not need to make a change. If they do, they can be elevated to a global administrator.

Does Proper Implementation Remove the Need for Separate Generic Administrator Accounts?

AAD Privileged Identity Management - Coffee with Conrad Photo of a young woman’s face as she contemplates one of the many computer monitors that surround her.[/caption] PIM does represent a great way to get rid of extraneous administrator accounts. With PIM, users don’t need a high level of permission unless it’s a part of their everyday job. They also don’t need to have two accounts. Having conditional access for a shorter duration makes more sense than establishing an admin-only account for them.

How Does This Work for Organizations Dealing With Regulatory Frameworks Such as CMMC?

Regulatory frameworks like CMMC never give you roles for how to maintain compliance. With PIM, you can track, log, review logs, and control access from one place.

Do PIM Users Need Additional Licensing?

They don’t. Generic roles all map to AAD. A P2 license covers everything. That’s the only thing you’d need to make this work for you.

Can You Use PIM for Other Administrator Roles?

Anything that’s a default role baked into AAD is available. Every one of them has an associated reader. Those reader roles are great for managers who are responsible and may only need to review rather than make changes. One of the challenges of adopting PIM is that it can add extra steps for administrators or those needing administrative access. That’s a good thing, however. This isn’t necessarily going to make their lives easier. But this extra step will increase their accountability. This isn’t necessarily fun for them at the beginning because it can slow them down. But sometimes, slowing these users down is needed to ensure they only have global administrative access for exactly as long as they need it. It’s an organizational benefit.

In Agile IT’s Migration, Were End-Users Affected or Just Administrators?

Only the administrative team was affected, and the transition was complete after about a two-week period. End-users are generally not affected unless they require some sort of global administrative access.

Learn More About Privileged Identity Management

Adopting Privileged Identity Management forces your organization to examine who needs what type of access and for how long. For example, if you have three administrators, you may ask yourself: do they all need global administrator rights? Sometimes they do. PIM helps you give them access at the specific times they need it, and not a second longer. You also have logs and justification for why everyone has the access level they have.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

Implementing Cybersecurity Policies for CMMC Compliance and Managing CUI

CMMC compliance requires well-documented cybersecurity policies. Learn how to implement security controls, create an SSP and POA&M, and manage Controlled Unclassified Information (CUI).

Apr 25, 2025
7 min read
CMMC compliance for DoD contractors

CMMC Compliance Requirements for DoD Contractors and Subcontractors in the Defense Industry

CMMC compliance is mandatory for DoD contractors and subcontractors. Learn about certification levels, requirements, and the consequences of failing to meet compliance.

Apr 24, 2025
6 min read
How to prepare for a CMMC compliance audit

CMMC Compliance Audit Preparation: A Complete Checklist for Small Businesses

Preparing for a CMMC compliance audit is critical for DoD contractors. Use this checklist to perform a gap analysis, assess CMMC readiness, and prepare for a Level 2 assessment.

Apr 23, 2025
8 min read
FAR CUI vs CMMC Understanding

FAR CUI vs CMMC Understanding the Differences and Overlaps

FAR CUI and CMMC both focus on protecting sensitive federal data, but they have key differences. Learn how they work together and whether FAR CUI compliance aligns with CMMC.

Apr 15, 2025
10 min read
What Is a POAM?

What Is a POAM?

Learn how a Plan of Action and Milestones (POAM) helps meet NIST 800-171 & DFARS compliance. Understand its role in FedRAMP, security categorization, and risk mitigation.

Apr 8, 2025
8 min read
Best Cybersecurity Practices for Achieving CMMC Compliance

Best Cybersecurity Practices for Achieving CMMC Compliance

Achieving CMMC cybersecurity compliance requires strong security controls. Learn best practices for securing your IT environment, protecting CUI, and implementing MFA.

Apr 7, 2025
6 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation