Azure AD Privileged Identity Management allows organizations to manage, monitor, audit access to sensitive Azure resources. One of the main features of PIM is the ability to provide just-in-time (JIT) access to Azure AD and Azure resources. As an example, a user can request to be a Global Administrator for 1 hour. Once a user requests it through the portal, Approver will receive a notification. Then approver can review the request and approve/deny the request based on justifications. Once the request is approved, the user will have Global administrator privileges for one hour. After one hour, the privileges will remove from the user automatically. Instead of individual users, we also can make cloud groups eligible for the Azure AD role assignment. More info about this configuration is available under one of the previous blog post. So far, we had to manage members or owners of these privilege cloud groups using Azure AD, but now we can provide JIT membership to privilege group using Azure AD PIM.
Note : To use Azure AD PIM, you need to have Azure AD Premium P2 licenses. So, make sure you have the relevant license in place before we go ahead with this config.
In my demo environment, I am going to create a new group called “Temp Administrators“. Then I am going to make it active for Global Administrator role for 3 months. After that configuration, if a user needs to get Global Admin rights, they need to be part of “Temp Administrators” group. I plan to show you how we can manage members of this group using Azure AD PIM.
Create a role-assignable group
As the first step of the configuration, I need to create a cloud group. This group must have the “Azure AD roles can be assigned to the group” option turned on. Otherwise, we can’t assign roles to it.
To do this,
1. Log in to Azure Portal as Global Administrator
2. Search for Azure Active Directory and click on it
3. Go to Groups and click on + New group
4. In the new form, set Group type to Security. Then provide a name and description for the group. Next, set Azure AD roles can be assigned to the group (Preview) option to Yes. After, click on create to complete the group setup process
Enable privileged access for a group
The next step of the configuration is to enable privileged access for the newly created group. To do that,
1. Go to Azure Active Directory home page
2. Then go to Groups and click on the group we created in the previous section. On the group properties page, click on Privileged access (preview). Next, click on Enable privileged access button.