Azure AD — Privileged Identity Management (PIM)
What is it?
Microsoft has been spending heavy on tightening the security of its services including Azure AD and for that reason, we have PIM also known as Privileged Identity Management in Azure. It is a new feature that provides restricted and secure access to users or groups to certain Azure resources or to Azure AD roles.
What does it do?
PIM provides time-based, restricted, MFA enforced, approved and auditable role to a user or group for some Azure resource or Azure AD role. For example, if your company hires a vendor for a project to do some high level tasks on your Azure tenant, you cannot simply provide any role to him/her. You should be assessing the task first and provide a time-based access to your vendor until the project ends. When the project ends, the role gets revoke and that vendor will not be having access to your Azure resource anymore. It means you are making the vendor “eligible” for doing some privileged task for a certain time period. This is what PIM does in a very seamless way.
How does it do?
When PIM is enabled in Azure AD, IT admins can give certain users the privileged role for a specific time. At this moment, the user become eligible for that role and he must now activate the role to use it. If an approval is required, it will go through approval process by some approvers with justification.
Once approved, the user will have the new privileged role assigned. The user can also request for extension of the role. The concept here is, traditionally when we give a role to a user, it stays in permanent state with no time limitation but with PIM, it has time limitation and more secure with MFA enforced.
What is required?
PIM is a part of Azure AD Premium P2 and below set of users should have this license.
- Eligible users
- Eligible users who are part of Azure AD Groups
- PIM Approvers
- PIM Reviewers
If the license expires, the already enabled PIM will be revoked and users will not be able to activate their roles.
Thank you for reading.
Do subscribe to my YouTube channel if you are looking to learn Microsoft technologies.
