Protecting privileged access with PIM (Privileged Identity Management)

Protecting privileged access with PIM (Privileged Identity Management)

04/15/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in implementing and managing Privileged Identity Management (PIM) in Microsoft Entra ID (formerly Azure Active Directory). PIM is a service that allows you to manage, control and monitor access to important resources in your organization, providing Just-In-Time (JIT) and Just-Enough Access (JEA) access to privileged functions, minimizing the risk of privilege misuse [1].

Introduction

Accounts with administrative privileges are prime targets for cyberattacks, as their compromise can lead to complete control over an organization's systems and data. The traditional security model, where privileged accounts are permanently assigned, increases the attack surface and the risk of lateral movement by attackers. PIM addresses this challenge by introducing the concept of "just-in-time" (JIT) and "just-enough-access" (JEA) access, ensuring that users have elevated privileges only when necessary and for the strictly required time [2].

This practical guide will cover PIM configuration in Microsoft Entra ID, from activating the service to assigning eligibility for roles, configuring activation policies, and the process of activating a privileged role. Step-by-step instructions, practical examples, and validation methods will be provided so that the reader can implement and strengthen privileged access security in their Microsoft environment, reducing risk exposure and ensuring compliance.

Why is Privileged Identity Management crucial?

  • Attack Surface Reduction: Minimizes the time that privileged accounts remain active, reducing opportunities for attackers.
  • JIT/JEA Access: Grants temporary access with least privileges, in line with Zero Trust principles.
  • Visibility and Auditing: Provides detailed logs of all privileged function activations, facilitating auditing and compliance.
  • Approval Flow: Allows you to require approval for the activation of critical functions, adding an extra layer of security.
  • Access Reviews: Facilitates periodic access reviews to ensure that privileges granted are still appropriate.

Prerequisites

To implement Privileged Identity Management (PIM), you will need the following items:

  1. Licensing: A Microsoft Enroll ID Premium P2 (formerly Azure AD Premium P2) license. PIM is a unique feature of this license [3].
  2. Administrative Access: An account with the role of Global Administrator or Privileged Roles Administrator in Microsoft Enter ID to configure PIM.
  3. Users and Groups: Users and/or security groups on Microsoft Entra ID that will require privileged access.

Step by Step: Configuring and Using PIM

We will configure PIM for a critical administrative role, such as Global Administrator, and demonstrate the activation process.

1. Activating PIM on Microsoft Entra ID

If PIM is not already active in your tenant, you will need to activate it.

  1. Access the Microsoft Entra admin center portal: https://entra.microsoft.com.
  2. In the left navigation pane, select Identity Governance > Privileged Identity Management.
  3. If this is your first time, you will see an option to Enable PIM. Click on it.

2. Assigning Eligibility for a Role

First, let's make a user eligible for the Global Administrator role.

  1. In the PIM left navigation pane, select Microsoft Entra Roles > Roles.
  2. In the list of roles, look for Global Administrator and click on it.

  3. On the Global Administrator role details page, click Add Roles.

  4. In the Add Assignments section, click Select Members.

  5. Search for and select the user(s) or group(s) you want to make eligible for this role. Click Select.
  6. Under Assignment Type, select Eligible.
  7. Under Permanent Assignment, you can set a start and end date for eligibility, or make it permanent. For highly privileged roles, permanent assignment should be avoided, but for the purposeFor demonstration purposes, we can leave it as is.
  8. Click Assign.

3. Configuring Role Settings

Role definitions control how users can activate their privileges.

  1. In the PIM left navigation pane, select Microsoft Entra Functions > Settings.

  2. In the list of roles, search for Global Administrator and click Edit.

  3. In the Activation section:

    • Maximum activation duration: Define the maximum time a user can have the function active (ex: 4 hours). A short period is recommended.
    • Require multi-factor authentication on activation: Check this option. Highly recommended for all privileged roles.
    • Require justification upon activation: Select this option. Users will be required to provide a reason for activation.
    • Require approval to activate: Check this option to add an approval flow. Click Select Approvers and add one or more users/groups who can approve activation requests.
  4. In the Assignment section:
    • Allow permanent eligible assignments: For Global Admin, consider disabling this option to force all assignments to be temporary.
  5. In the Notification section:
    • Configure who should be notified about the activation of the function.
  6. Click Update to save the settings.

4. Enabling a Privileged Function (User Experience)

Now, let's demonstrate how an eligible user activates the Global Administrator role.

  1. Eligible user accesses the Microsoft Entra admin center portal: https://entra.microsoft.com.
  2. Navigate to Identity Governance > Privileged Identity Management.
  3. In the left navigation pane, select My Roles > Microsoft Login Roles.
  4. In the Eligible Roles tab, the user will see the Global Administrator role.

  5. Click Enable next to the Global Administrator role.

  6. In the activation window:

    • Duration: The user can specify the activation duration (limited by the maximum duration defined in the function definitions).
    • Reason: The user must provide a justification for activation (e.g. Perform maintenance on server X).
    • (If configured) Security Check: The user may be prompted to perform an MFA check.

  7. Click Activate.

  8. If approval is required, the request will be sent to approvers. The user will see the status as Pending approval.

5. Approving an Activation Request (Approver Experience)

A designated approver will receive a notification (via email or in the PIM portal) about the activation request.

  1. The approver accesses the Microsoft Entra admin center portal: https://entra.microsoft.com.
  2. Navigate to Identity Governance > Privileged Identity Management.
  3. In the left navigation pane, select Approve requests.
  4. The approver will see the pending request. Click on it to see details.

  5. The approver can Approve or Deny the request, providing a justification.

  6. After approval, the requesting user will have the active role for the specified period.

Validation and Testing

Validating your PIM implementation is crucial to ensuring that privileged access controls are working as expected.

1. Checking Activation Status

  1. After activation (and approval, if applicable), the user can return to the My Roles > Microsoft Login Roles page in PIM.
  2. In the Active Roles tab, the Global Administrator role should appear with the status Active and the remaining time.

2. Testing Elevated Privilege Access

  1. With the function activated, the user must try to access resources or perform actions that require the Global Administrator role (e.g. create a new user in Microsoft Entra ID).
  2. The action must be successful.

3. Checking PIM Audit Logs

  1. In the PIM left navigation pane, select Audit > Microsoft Entra Role Audit.
  2. Filter the logs to see role activations, approvals, and other PIM-related activities. This provides a complete record of who activated which function, when, for how long, and with what justification.

4. Testing Activation Expiration

After the activation time expires, the user must loseautomatically elevated privileges. Try performing the privileged action again; she must fail.

Security Tips and Best Practices

  • Principle of Least Privilege: Assign only the roles necessary for a user to perform their tasks. Avoid assigning Global Administrator if a less privileged role would suffice.
  • Eligibility Assignment vs. Active Assignment: Whenever possible, use Eligible rather than permanent Active assignments for privileged roles.
  • MFA Mandatory: Always require MFA to activate privileged functions. This adds a critical layer of security.
  • Required Justification: Require users to provide a justification for each activation. This helps with auditing and understanding the purpose of access.
  • Approval Flows: For critical functions, configure approval flows to ensure activations are reviewed and authorized by someone else.
  • Access Reviews: Schedule regular access reviews in PIM to ensure eligibility for privileged roles is still appropriate and remove unnecessary assignments.
  • Notifications: Configure notifications for administrators when privileged roles are activated or suspicious activity occurs.
  • Integration with Conditional Access: Use Conditional Access to enforce additional policies when activating PIM functions (e.g., requiring activation to occur from a supported device or a trusted network location).

Common Troubleshooting

  • User cannot activate the function: Check if the user has a Microsoft Entra ID Premium P2 license. Check if he is on the list of those eligible for the role. Check the role settings (e.g., whether MFA is required and the user has not configured it).
  • Function activation failed: Check PIM audit logs for error messages. It could be due to an MFA failure, lack of justification, or rejection by an approver.
  • Approvers do not receive notifications: Check notification settings in role settings. Make sure approvers' email addresses are correct and that there are no inbox rules blocking notifications.
  • Function does not deactivate automatically: Check the maximum activation duration in the function settings. If the problem persists, it may be due to a delay in the service synchronization.
  • Permission conflicts: If a user has the same permission through a PIM role and a regular role, the regular role will prevail. It is good practice to remove permanent privileged role assignments for users who are also eligible via PIM.

Conclusion

Microsoft Entra Privileged Identity Management (PIM) is an indispensable tool for any organization looking to protect its privileged access and strengthen its security posture. By adopting Just-In-Time and Just-Enough Access principles, PIM helps significantly reduce the attack surface, provides a detailed audit trail, and imposes strict controls over administrative functions. Careful implementation of PIM, combined with security best practices and user training, empowers IT and security teams to manage privileges effectively, mitigating the risks associated with compromised privileged accounts and ensuring a more secure and compliant environment.

References:

[1] Microsoft Learn. What is Microsoft Entra Privileged Identity Management?. Available at: https://learn.microsoft.com/pt-br/entra/id-governança/privileged-identity-management/pim-configure [2] Microsoft Learn. Zero Trust Guiding Principles. Available at: https://learn.microsoft.com/pt-br/security/zero-trust/guidance-principles [3] Microsoft Learn. Licensing requirements for Microsoft Entra Privileged Identity Management. Available at: https://learn.microsoft.com/pt-br/entra/id-governança/privileged-identity-management/pim-configure#license-requirements