Permission control with Azure

AD PIM

Azure AD PIM allows for effective and secure management of access to privileged roles in the Azure cloud. This solution reduces the possibility of a hacker or fraudster obtaining permissions.  

The functionalities of Azure AD PIM include:  

• “Just-in-time” access to Azure resources  

• Allocation of access to privileged roles within a specified time window  

• Approval required to activate access  

• Multi-factor authentication enforced  

• Justification of privileged access  

• Notifications of privileged role activation  

• Access reviews of roles  

• History of activations and accesses  

• Safeguard against the loss of access to the Global Administrator and Privileged Role Administrator accounts  

Why Privileged Identity Management?

In today’s dynamic IT environment, data is a crucial asset for every organization. Protecting access to sensitive data should be a priority. As the number of users and permissions increases, managing access and privileged roles becomes more complex. In particular, administrative and privileged accounts should be protected as they have the ability to access large amounts of sensitive data. The identity of an administrator and high-level permissions are also a target for unauthorized individuals who want to harm your organization. Therefore, it is necessary to secure your environment in accordance with the “The principle of least privilege.”  

Access Management in PIM

Access to PIM is granted for:  

  • Users 
  • Groups 
  • SPN (service principals) 

Depending on how granular the permissions should be, PIM allows for the specification of “Scope Tags” in addition to roles:  

  • Azure AD Roles 
    • Directory 
    • Administrative Unit 
    • Application 
    • Service Principal 
  • Azure AD Groups
    • Owner 
    • Member 
  • Azure resources 
    • Management Group 
    • Subscription 
    • Resource Group 
    • Resource 

Types of assignments:

• Eligible – the user must activate their permissions before accessing. Activation may require MFA, providing business justification, or requesting approval from authorized users.  

• Active – activation is not required. The role is active all the time.  

Role assignments can also be time-limited. Settings allow for the definition of a time interval for role assignment (start and end date of assignment). Let’s follow the process of assigning the “Application Administrator” role to one of the IT department employees for the next week. Their task is to make changes to the organization’s applications. You can perform a new role assignment in PIM > Azure AD roles > Roles using the “Add assignments” button. 

In the “Select role” window, we select the “Application Administrator” role. In “Scope tags,” we leave the option as “Directory” because we do not want to limit administrative access to specific applications. 

The “Next” button will take us to the assignment settings. We choose the Eligible Assignment type (we want the user to activate the role before using it) and the start and end dates – in this case, it will be a week. Click “Assign”. 

In the PIM > Azure AD Roles > Settings tab, we customize the requirements, alerts, and assignment details for a given role. 

Assignments can be viewed and managed in the “Assignments” tab. 

Access reviews 

“Access Reviews” is a tool that allows for periodic reviews to identify and remove unnecessary permissions, minimizing the risk of unauthorized access. The results of the reviews are recorded and documented in Azure PIM, allowing for auditing and monitoring of permission changes. If inappropriate permissions are identified, administrators can quickly take corrective actions such as removing or restricting a user’s permissions. The “Access Reviews” option is only available for Azure AD roles and Azure resources and is currently not available for Azure AD groups.  

Let’s create an example access review for the “Application Administrator” role (PIM > Azure AD Roles > Access Reviews > New). 

Reviews can be customized to suit specific needs. In this case, a two-day review that takes place weekly has been configured. It applies to all users and groups and all types of assignments. The result of the review looks as follows: 

Summary 

Azure Privileged Identity Management (PIM) is an important tool offered by the Microsoft Azure platform. It enables effective management of roles and permissions, while minimizing the risk of identity takeover attacks. With PIM, your permissions will be organized and transparent. It is definitely a solution worth trying! 

Contact

Ready to meet the only technology partner you'll ever need?

Cloudica needs the information you provide to contact you about our services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy policy.

Insights

Find more knowledge and news

E-mail: business@cloudicagroup.com 

+48 22 125 51 24

+45 78 71 88 12

Hire us
Join us

What we do

Azure

Microsoft 365

Cybersecurity

Infrastructure

Outsourcing

Who we are

About us

Technology & Partners

Our clients

Pricing

Insights

Careers

Contact

Follow Us

© 2022 CLOUDICA
All Rights Reserved
Privacy Policy

Hire Us
Join Us

Email: business@cloudicagroup.com         Phone: +48 22 125 51 24

Visit also:     About Us         Technology & Partners         Our Clients         IT Store         Pricing         Insights   

Let's talk
Careers

Cloud Services

Microsoft Azure
Microsoft Office 365
Windows Virtual Desktop
Infrastructure as a Service
Hybrid Cloud
Multi Cloud
Cloud Migration Services
Cloud Optimisation & Hardening
Cloud Backup & Disaster Recovery
Cloud Cost Optimisation
Cloud Adoption Framework
Cloud Governance
Cloud Identity

IT Security

Security Audit
Cloud Security
Security Architecture Design
User Access Control
End User Protection
Business Continuity
Backup & Disaster Recovery
DLP

Managed IT Services

Azure Infrastructure
Microsoft 365
Server & Network Infrastructure
Security Operation Center
Backup & DR
Infrastructure Monitoring

Microsoft 365

M365 Migration
MS Teams
M365 Managed Services
MS SharePoint
Enterprise E-mail
Signature Management
Identity Management
Power Platform
End-point Management
Backup & Security
Subscriptions Providing & Optimisation

IT Outsourcing

Enhanced Staff Augmentation
Self-Managing Teams
Full process outsourcing
CIO as a service

Once the above questions have been answered, a disaster recovery and backup readiness index can be calculated based on the following scale: 

  • Level 1: Inadequate – The organization has significant gaps in its disaster recovery and backup posture.  
  • Level 2: Developing – The organization has some disaster recovery and backup processes in place, but significant improvements are needed.  
  • Level 3: Mature – The organization has a mature disaster recovery and backup posture, but there is room for improvement.  
  • Level 4: Robust – The organization has a strong disaster recovery and backup posture and is well-prepared to address potential disruptions.  
  • Level 5: Exceptional – The organization has a comprehensive and mature approach to disaster recovery and backup. 

The disaster recovery and backup readiness index can be calculated by assigning a score of 1-5 to each question based on the level of readiness demonstrated. The scores are then averaged across all questions in each category to determine the readiness level for that category. The overall disaster recovery and backup readiness index is calculated by averaging the readiness levels across all categories. 

Level 1: Basic
You have minimal cybersecurity processes in place and face a high risk of cyberattacks. Immediate attention and significant improvements are necessary to enhance your security posture.

Level 2: Developing
You have some cybersecurity processes in place but require substantial improvements to reach a mature state. You should focus on strengthening your policies, procedures, and security controls.

Level 3: Mature
You have a solid cybersecurity posture, but there is still room for improvement. You should continue enhancing your processes, monitoring capabilities, and incident response practices.

Level 4: Advanced
You have a strong cybersecurity posture and are well-prepared to address potential threats. However, you should remain proactive and stay abreast of emerging threats and technologies to maintain your advanced level of security.

Level 5: Leading
You have a comprehensive and mature approach to cybersecurity. You are a leader in cybersecurity best practices and continually innovate to stay ahead of evolving threats.

Dziękujemy za rejestrację!

Link do webinaru otrzymają Państwo mailowo dzień przed spotkaniem.

23 Marca 2023

10:00 via MS Teams

Tomasz Woźniak

Thank you!

To download our e-book „The best way to Outsource IT Staff” click button below

Get your E-book
Get your E-book