Microsoft provides just-in-time privilege capabilities via Privileged Identity Management (PIM), a feature of Entra ID. Via this capability, you can ensure that accounts must activate a given permission prior to usage to minimize the chance of a malicious party getting access or an authorized user accidentally making an impactful change. Permissions with the potential for high impact are great candidates for this type of additional access control.
- Entra ID roles, i.e. whether a given role is active or not
- Entra ID group membership, i.e. whether a given group is included in your Azure AD access tokens or not
- Azure resources, i.e. whether you have access to resources in Azure subscriptions
The following controls are required:
- Limited duration access, e.g. can only activate for 12 hour period
- Audit history of activation
The following controls are optional controls:
- Approval workflow, e.g. designated approvers must approve each request to activate
- Multi-factor authentication
- Justification for activation
- Notification of activation, e.g. designated watchers can follow activations for a given resource
- Time-bound eligibility, i.e. you are only eligible for the privilege between specific points in time
Entra ID Access Reviews are designed to work well with this capability, but are technically not part of PIM. With Access Reviews, you can periodically review whether users should continue to have permissions.
This entirely depends on the specific configuration in place for the role or group in question.
A common configuration at the UW requires only justification from the optional controls. This configuration is common because Duo is generally expected external to PIM, and workflow approval can introduce unacceptable delays. When this is the configuration, a user who attempts to use the controlled privilege will receive errors suggesting they don’t have the privilege. To activate, they must navigate to the Privileged Identity Management, My roles page. On that page, they choose the appropriate workload (Entra ID roles, Groups, Azure resources) for what they want to activate.
A walkthrough for each of the 3 workloads is in this Microsoft documentation:
- Entra ID roles: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role
- Entra ID groups: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-activate-roles
- Azure resources: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles
Note that there is an interactive and API method for each of these workloads, so activation is appropriate for interactive and non-interactive scenarios.
Once activated, access tokens for existing sessions should automatically update to reflect the newly activated permissions.
Common patterns and how to leverage PIM
The combination of an Entra ID sourced group, PIM activation, and Entra ID Access Review provide a strong access control combination to help ensure only the right people have access at the right time. However, it is possible to use a UW group with PIM, if an Entra ID Access Review is not required.
PIM or this combination takes more effort to setup, requiring UW-IT involvement, so we do ask that customers limit requests for this capability to scenarios which justify the extra effort. PIM and Access Reviews do require the user to have UW Microsoft Advanced Service Level to satisfy Microsoft licensing requirements. To request PIM or the combination noted, please open a request to UW-IT (help@uw.edu) with a subject line of “Microsoft Infrastructure: PIM”, with the details of your scenario.