Introduction

Privileged Identity Management (PIM) is no longer a hidden gem in the Microsoft cloud ecosystem. It was originally released almost 10 years ago! I know there is already a lot of great content out there on it, but this blog post will be my personal summary.

What to expect 🎯

  • What is PIM?
  • Why is Privileged Identity relevant?
  • Prerequisites
  • Concept
  • How to set up
  • Bonus
    • Enable PIM for groups for roles outside of Microsoft Entra
    • Identity Governance
    • Integrate with Administrative Units
    • Integrate with Microsoft Sentinel
    • Change tracking

What is PIM? 🦸

Microsoft Privileged Identity Management (PIM) is an Entra ID Premium Plan 2 feature to secure elevated rights, include approval processes and manage admin roles just-in-time and with just-enough access - based on Zero Trust. This feature is only relevant for administrators and only needs to be licensed for them.

With PIM you can:

  • Ensure that only the right staff has access to the right permissions in the right timeframe
  • Include approval processes to have a dual control system before permissions are granted
  • Apply monitoring & reports to elevation, as well as require more details on why elevation was necessary
  • My take: The P in PIM stands for psychological. It is a system to rethink the privileged tasks you want to perform and requires to provide a justification and select exactly the right permission set. (Which can also be a challenge 😉)

Why is Privileged Identity relevant?

Privileged Identities are personas with permissions to do changes on a system that affect multiple entities or have a critical (business) impact. In the Microsoft cloud sphere, this could be anything from locking a user, wiping devices, adding or removing third-party apps, managing data (SharePoint, OneDrive) or altering Teams. It is basically superpower 🦸

You see that those Privileged Identities should be well protected, which doesn't only include PIM as a leveraged product, but also to apply other restrictions like MFA, Conditional Access, proper secret storage and trust to parties to guarantee defense in depth.

🗒️
Privileged Identities are highly valuable goods for an organization and should be well protected with multiple measures. Attackers always aim for hijacking privileged identities. Consider those as not just your administrator accounts, but also service accounts and service principals! (In Microsoft Entra = App Registrations, Enterprise Apps or Managed Identities)

Prerequisites

Before you enable PIM in your tenant, you should verify that all users who use PIM have an Entra ID Premium Plan 2 license assigned. To configure PIM you need to be a Global Administrator or Privileged Role Admin.

Concept 📝

Role sources

Roles and permissions in Azure and Microsoft 365 can originate from different sources:

  • Entra ID: Roles for administering Entra and Microsoft 365 and related products, compatible with PIM
  • Intune: Roles specific to endpoint management, by default not compatible with PIM (PIM-enabled groups would need to be used here)
  • Defender permissions: Specific roles in Defender XDR / Security Center
  • Exchange admin roles: Specific roles in Exchange
  • Azure IAM: Roles for Azure resources, separate from PIM
  • Purview roles & scopes: Roles in Purview / Compliance

Assignment types

Not all roles are assigned the same way, there are two types:

  • Eligible: Role can be activated for a user via PIM for a specific period of time
  • Active: Role is static and permanently active for a user

Roles table

When I work with customers, I always recommend to use a roles table to define clearly who has access (permanent or through PIM) to which roles and thereby has which responsibilities. This is how it looks like:

Role
Recommended assignment type Description Recommended audience
Global Admin PIM Can manipulate all aspects of the tenant. Dedicated admin accounts, except for the Breaking Glass Admin.
Global Reader Static Can read all aspects of the tenant but cannot manipulate them. All IT engineers
Application Admin PIM Can modify Enterprise Apps and App Registrations. Developer, engineers
Intune Admin PIM Can configure all aspects of Intune. Intune Admins
User Admin PIM Can manipulate user aspects, without authentication methods. Helpdesk
Security Admin PIM Can configure security in Defender XDR and Intune endpoint security and Entra settings. Security Engineers (also consider Defender RBAC)
Compliance Admin PIM Can manipulate aspects in Purview. Compliance Officers
Authentication Admin PIM Can edit security info/authentication methods from non-admins. Helpdesk
Exchange Admin PIM Can modify all aspects of Exchange Online. Exchange Engineers
Teams Admin PIM Can modify all aspects of Teams. Teams Admins
SharePoint Admin PIM Can modify all aspects of SharePoint, inclusive site content. SharePoint Admins
Billing Admin Static Can purchase and assign licenses.

Setup 🛠️

Before you start

The first thing I always do when I get access to any tenant, is to check out the current role assignment. Sort it based on the assignments and get yourself an overview of how the roles are currently distributed. Review them and use it as a starting point: in Entra > Roles

PIM roles

To start configure PIM, go to Identity Governance > Privileged Identity Management > Roles. Assign the roles to admins according to your individual concept roles table from above.

Roles configuration

Each role can individually be configured with settings around:

  • Activation - Maximum activation duration, activation authorization requirements, justification and approvers

My recommendation: I configure the maximum duration for all roles to 10 hours. For highly privileged like Global Admin, I reduce that timeframe to 1 hour. Approvers is individual, based on your RBAC process.

  • Assignment - Assignment settings

My recommendation: Leave on default, except you want to add roles permanently active, then you need to change this setting.

  • Notifications - Email notifications and recipients on assignment or approval

My recommendation: Set up emails to approvers (if in place) and otherwise send only critical emails only. Read more below on notifications with Microsoft Sentinel.


How to use it 📙

Now assumed from an administrator perspective, you want to enable roles to perform specific privileged tasks. Before you do that, you need to know which role you need for the task. Often, this is mentioned in the documentation of your task (it should be!), but if you don't know, this resource might help you: Entra built-in roles or Azure built-in roles, or when working with Microsoft Graph: Graph permissions reference

As admin, go to Azure Portal > Identity Governance > Privileged Identity Management > My roles

Here you can see all your available roles. Please note the assignment state. The already active assignments are shown in a different tab.

Now, to activate a role, choose the correct, hit "Activate" and provide the justification (required). Optionally:

    • Set a custom activation start time (when the assignment begins)
    • Adjust the duration time
    • Select a scope (tenant level or Administrative Unit)

The assignment process through the systems take a few seconds and the page automatically refresh. (If you are in a different portal, make sure to refresh the site. Sign-out and sign-in again is not needed)

If an approval process is in place, request the role here and wait for it to be approved through the configured personas. (Approval through Azure Portal > Identity Governance > Privileged Identity Management > Approve requests)

You should now have the permissions in the context and see the active role under "Active roles" for your timespan. Later see them in

Audit logs

Find the audit logs of all PIM activities at PIM > (Manage) Microsoft Entra Roles > Resource audit. Click on any record to see more details, including the justification reason.


Bonus 🔮

PIM enabled groups

It is also possible to enabled PIM for groups. That means, you can be an eligible member of a group and activate the assignment for a limited timeframe. (Including all other features of PIM) This is a nice feature, when you assign privileges to groups, e.g., in for Intune custom RBAC roles.

To enable a group for PIM, go to the Group overview > Privileged Identity Management and Enable PIM for this group, after that, you can configure the same settings as for a PIM role.

⚠️
Anytime you assign privileges to a group (with PIM or without) make sure to enable the immutable switch on group creation "Microsoft Entra roles can be assigned to the group". With that, only Privileged Role Admins and Global Admins can make assignments to groups. Otherwise this might cause privilege escalation.

Identity Governance

As PIM is part of Identity Governance, why not make use of the other great features to improve the handling of these hot identities? Use Access reviews to ensure that the role assignments are still needed. With this feature, you are appointed to regularly review your or others assignment to roles. And with Access packages you make a bundle of permissions (now including Entra roles!) to permit access to resources.

Administrative Units

Administrative Units are a virtual container inside of Entra ID. You can either add users or devices to an Administrative Unit as members. Entra ID roles can then be assigned on the scope of that Unit, but not the whole directory including PIM. This allows IT admins to only manage a subset of all users and devices. Read more

Sentinel integration

I advise you to use Sentinel (if in place) to alert and notify on PIM activation anomalies or critical role changes. You should get a NRT (near real-time) alert if a potential event of privilege escalation was detected. Here are the built-in rule templates to use:

Change tracking of roles

It is often hard to keep track on changes made to the built-in roles. Microsoft adjusts these and also adds new roles. To keep track and have a change history, I built an automation, which exports the manifests of roles to a GitHub repo regularly:

GitHub - thenikk/AzureIAMRoles: A repo that contains role definition files for various Azure identity and access management (IAM) role types.
A repo that contains role definition files for various Azure identity and access management (IAM) role types. - thenikk/AzureIAMRoles

powered by Oceanleaf

Oceanleaf
Technology blog on Microsoft Cloud. Learn about cutting edge tech, explained simply & straightforward in quality focused blog posts.
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.