In any identity infrastructure attack, attackers are going after the "privileges". The more privileged account they own, the more damage they can do. There can be privileged accounts in a system that only used once a month to do a privileged task. In any IT system, we used to believe administrators are trustworthy people. Therefore, most of the time we do not really worry about what they are doing with given privileges. what if they misuse the permissions? how we can ensure they only doing what they supposed to do? also if a privileged account got compromised, how we identify genuine activity from a malicious activity?
Privileged access management in Azure AD & Office 365 provides an answer to all of the aforementioned challenges and protect cloud resource from identity attacks. With this solution, users will not have privileges attached to their accounts all the time. instead, they have to request privileges when they required. Then a workflow attached to it will decide if it should grant or not. Once permissions are granted, users can do the relevant privileged task. The permissions, however, will not be available for the users all the time. It is time-bounded. After the approved time, permissions will be removed automatically. In one of my previous blog post series, I demonstrate how to set this up with Azure AD. You can find it here https://www.rebeladmin.com/2016/07/step-step-guide-azure-ad-privileged-identity-management-part-1/
In this blog post, I am going to demonstrate how to do the same with office 365.
As the first step, we need to create a group to approve the privilege access requests. If you already have an IT admin/management group, you can
Create Admin Group
1. Log in to Office 365 Admin panel as a global administrator
2. Then go to Groups | Groups
3. Then click on Add a Group
4. In the new group window, select mail-enabled security as the group type. Then provide a name for the group. you also can add a description if you like. At the end click on Add to proceed.