Just-in-Time Administrations protects high-privileged accounts been compromised. Administrators will have their privileges when they “required”. It minimizes the lateral movements of identity attack. Azure AD PIM allows to create time-based temporally admin accounts. In this demo I am going to demonstrate how to create time-based admin accounts in azure using PIM. If you are new to privilege identity management, I highly recommend to check my previous blog post about it. you can access it using http://www.rebeladmin.com/2016/07/step-step-guide-azure-ad-privileged-identity-management-part-1/
In my demo environment I have a user called Isaiah Langer from finance department. At the end of every month this user runs some reports which required admin privileges. I do not want to make this user a permanent global administrator. I like to give these privileges when “required”. Let’s see how we can configure it.
1. Log in to Azure portal https://portal.azure.com as global admin.
2. Click on More Services from the left-hand panel and search for Azure AD PIM.
3. In first window it asks me to verify my MFA before proceed. This is because I do not have MFA setup for my account. Click on verify my identity option.
4. Then it goes through MFA setup process. Please complete sign up process to continue.
5. Once process is completed it will load the PIM page again. Click on Consent to proceed.
6. Then click on Yes to proceed.
7. After service is initiated, click on Azure AD directory roles.
8. Then click on Sign up to proceed.