TS Logo
Published on

Deploying Privileged Identity Management for Azure Roles

Authors
  • avatar
    Name
    Tom Senior
    Twitter
    mailtom@tomsenior.netlinkedintom-senior

Overview

I recently came across a scenario that was ideal for implementing Privileged Identity Management with Azure Roles so lets get into it.

What is PIM?

Privileged Identity Management (PIM) is a tool within Microsoft Entra ID to give us more control when we are assigning privileged permissions (the Global Administrator Role for example). PIM can be setup so the required privilege is requested and approved only when that permission is needed, then removed once no longer required. We can also do things like require MFA to activate the privilege and get notifications when a privilege is activated.

With PIM we can manage both access to Microsoft Entra roles as well as Azure resource roles. We can also add PIM assignments to security groups and Microsoft 365 groups, but thats a story for another day.

My Scenario

Alright let me give my scenario. We have a Azure Cosmos DB instance that stores information for a SaaS tool. For compliance and security reasons, write access to Cosmos DB has to be kept to the bare minimum, ideally no permanent write access. Jenny, our Software Engineer gets called out because of a major incident that she investigates. She establishes that she needs to make a change to the Cosmos DB instance to resolve the problem.

We are going to setup PIM and allow Jenny to request privilege to Cosmos DB using the Cosmos DB Operator role. This role will give access to manage a specific instance of Cosmos DB but not the data within them. We'll require Jenny to justify the request and have a Senior Engineer approve it.

Setting up PIM

Prerequisites

You'll need a couple of items to set up Privileged Identity Management:

  • Subscription Administrator, resource Owner or resource User Access Administrator over the Azure resource (in our case Cosmos DB)
  • A Microsoft Entra ID P2 licence for each user involved (1 for Jenny the requester and 1 for the approver)

In the Entra Admin Center head to Identity governance then Privileged Identity Management and select Azure resources. Here we can select the management group, subscription, resource group and even the specific resource if required.

azure role for PIM manage resource screen

Hit Manage resource.

Role settings

Before setting up the assignments for our PIM we need to setup the role so that it becomes a role that requires approval. We can also set the time the assignment is active for.

On the left under Manage hit Settings. Here you can select the role you are going to use and we'll configure the settings for it. You can also configure settings for custom roles you have created in Azure. In our case i'll select Cosmos DB Operator and hit Edit at the top.

azure role for PIM

Under Activation maximum duration you can set the time you want the role to be active for. We'll also tick the box to require justification so Jenny has to give a reason why she is activating the role. You can also require a ticket number reference, MFA or a conditional access policy on activation.

Then click Next. We want this assignment to be permanently available for Jenny, so we'll tick Allow permanent role assignment. We can also configure option for an Active assignment here too if we want.

azure role for PIM assignment settings

Hit Next. Here you can setup notifications for when members are added as eligible or active. You can also setup notification when eligible members activate the role.

azure role for PIM notification settings

Then hit Update and that's our role configured.

Add PIM Assignments

Now on the left hand pane head to Assignments, and click Add assignments.

Select the role you've just configured, in my case Cosmos DB Contributor. Then select the members you wan't to be eligible for that role (users you want to allow to request it) and hit next.

add azure role pim assignments

Our assignment type is eligible. This means they don't get the role, they can request it when required. If they need the role for day to day work you can select Active and this will assign the role to them.

You can either select a start and end time for eligibility, or like i've done set it to permanently eligible. When you're setting a start and end time, the maximum duration is 1 year for eligible and 5 years for active assignments. If you don't see the permanently eligible check box, you might need to go back and check the role settings. Click Assign and you will see the users role appear under Eligible Assignments.

azure role pim assignment settings

Thats our PIM assignment all configured!

Requesting access

Requesting access to an eligible Azure role can be done in the Azure Portal under Identity Governance > PIM > My Roles > Azure Resources.

Here you'll see a list of all the roles you're eligible for. Then you can click Activate when you want to activate the role.

activating an azure role in PIM

If you've set your role to require approval the approver can access Identity Governance > PIM > Approve Requests > Azure Resources and approve the request.

That's it, we've setup Microsoft Entra PIM for an Azure role and Jenny can now get the access she needs when she needs it and resolve our major incident!

Thanks for reading. Any questions or feedback - Twitter, LinkedIn or Email