Tag Archives: Privileged Identity Management

STEP-BY-STEP GUIDE TO AZURE AD PRIVILEGED IDENTITY MANAGEMENT – PART 2

In my previous post on this series I have explain about azure AD privileged identity management including its features and how to get it enabled. If you not read it yet you can find it using this link.

in this post I am going to show you more of its features and capabilities. 

How to manage privileged roles?

The main point of the identity management is that administrators will have the required privileges when they needed. In part 1 of the post billing administrators and service administrator roles were eligible for the Identity management. So it will remove its permanent permissions which is assigned to role. 

So if you still need to make one of the account permanent administrator let’s see how we can do it. 

Log in to the azure portal as global administrator (it should be associated with relevant AD instance)

Open the azure identity management from portal

idm2-1

Then click on managed privileged roles

idm2-2

In next page it will list down the summary of the roles. Let’s assume we need to make one of the billing administrators “permanent”. To do that click on billing administrators

idm2-3

It will list down the users which is eligible for the role and click on the account you need to make permanent. 

idm2-4

Then click on more in next page and click on option make perm

idm2-5

Once completed its shows as permanent

idm2-6

Same way we can add an administrator to the roles. To do it go to roles, if you need to add new role it can do too. Click on roles on the manage privileges roles page

idm2-10roles

Then click on add

idm2-11roles

Then from roles click on the role you going to add

idm2-12roles

Then under the select users, select the user using search and click on done

idm2-13roles

 

How to activate roles?

Now we have the roles but how we can use them with time bound activation (Just in time administration

Go to the role page again like in previous page. In my demo I am going to use service administrator role

Then click on settings

idm2-7

In next window we can see that option to define the time. Also we can enable notifications so email notification will send to admin in event of role activation. Also option to request ticket or incident number. This is important to justify the privileged access. Also can use the multifactor authentication in activation to make sure the request is legitimate. 

idm2-8

idm2-9

Once you satisfied with settings, click on save to apply. 

Then for the testing I logged in as the security administrator to the azure portal. 

idm2-14

Then go to the privileged identity management page

Click on the service administrator 

idm2-15

Then click on the activate button, to activate the role

idm2-16

According to the settings its asking for ticket number for activation. Once put the information click on ok

idm2-17

Perfect, now its saying when it expires and it also shows the that roles been activated

idm2-18

Now I change the login and logged back as global administrator.

Then if go to privileged management page and click on audit history you can see all the events. 

idm2-19

idm2-20

Hope this series add knowledge about azure AD privileged identity management and if you have any questions feel free to contact me on rebeladm@live.com

Step-by-Step Guide to Azure AD Privileged Identity Management – Part 1

Privileged Identity Management is boarder topic to discuss with. First thing first do not think it as another feature or product from Microsoft. The way I see it as a lot of methodologies, technologies came together and making a new process. I am saying it because with this concept we need to rethink about how current identities been managed in infrastructure. Administrators, users need to change the way they think about the permissions. 

In any infrastructure we have different type of administrators. It can be domain administrators, local administrators, service administrators. If its hybrid setup it may have cloud administrators too. The question is do you have fully control over these accounts and its permissions? do you aware of their activities using these permissions? how do you know it’s not been compromised already? If I say solution is to revoke these administrator privileges yes it will work but problem is how much additional work to restore this permission when needed? and also how practical it is? it’s also have a social impact too, if you walk down to your users and say that I’m going to revoke your admin privileges what will be their response? 

Privileged access management is not a new topic it’s been in industry for long but problem is still not lot considering about it. Microsoft step up and introduce new products, concepts to bring it forward again as this is definitely needed in current infrastructures to address modern threats towards identities. The good thing about this new tools and technologies, its more automated and the user accounts will have the required permissions whenever they needed. In your infrastructure this can achieve using Microsoft identity manager 2016 but need lot more work with new concepts which I will explain in future posts. Microsoft introduce same concept to the azure cloud as well. In this post we going to look in to this new feature. 

Using azure privileged identity management, we can manage, control and monitor the permissions to the azure resources such as azure AD, office 365, intune and SaaS applications. Identity management will help to do following,

Identify the current azure AD administrators your azure subscriptions have

Just-in-Time administration – This is something I really like. Now you can assign administration permissions on demand for period of time. For example, user A can be office 365 administrator for 11am to 12pm. Once the time limit reach system will revoke the administrator privileges automatically

Reports to view the privileged accounts access history and changes in administrator assignments

Alerts when access to privileged role

Azure AD privileged identity management can manage following organizational roles,

Global Administrator – Has access to all administrative features. The person who signs up for the Azure account becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company.

Billing Administrator – Makes purchases, manages subscriptions, manages support tickets, and monitors service health.

Service Administrator – Manages service requests and monitors service health.

User Administrator – Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Some limitations apply to the permissions of a user management administrator. For example, they cannot delete a global administrator or create other administrators. Also, they cannot reset passwords for billing, global, and service administrators.

Password Administrator – Resets passwords, manages service requests, and monitors service health. Password administrators can reset passwords only for users and other password administrators.

Let’s see how to enable azure AD privileged identity management,
Before start make sure you got global administrator privileges to the azure AD directory that you going to enable this feature.
 
1) Log in to the azure portal as global administrator
2) Go to New > Security + Identity > Azure AD privileged identity management 
 
aim1
 
3) Then click on create to start the process
 
aim2
 
4) In first step it will identify the privileged roles exist in current directory. In my demo I have 3 roles. In same page you can view what are these accounts by clicking on each role. After review click on next
 
aim3
 
5) In next window its list which accounts eligible for activate the roles. Select the account you want and click on next
 
aim4
 
6) In next window can review the changes. As per my selection only one account will remain as permanent admin. To complete click on OK
 
aim5
 
7) Once it’s done, you can load the console from the dashboard. 
 
aim6
 
In part 2 of the post I will explain what we can do with it in details. 
If you got any questions feel free to contact me on rebeladm@live.com
 
Reference :  https://azure.microsoft.com/en-us/documentation/articles/active-directory-privileged-identity-management-configure/