Microsoft provides just-in-time privilege capabilities via Privileged Identity Management (PIM), a feature of Azure Active Directory. Via this capability, you can ensure that accounts must activate a given permission prior to usage to minimize the chance of a malicious party getting access or an authorized user accidentally making an impactful change. Permissions with the potential for high impact are great candidates for this type of additional access control.
The following controls are required:
- Limited duration access, e.g. can only activate for 12 hour period
- Audit history of activation
The following controls are optional controls:
- Approval workflow, e.g. designated approvers must approve each request to activate
- Multi-factor authentication
- Justification for activation
- Notification of activation, e.g. designated watchers can follow activations for a given resource
- Time-bound eligibility, i.e. you are only eligible for the privilege between specific points in time
Azure AD Access Reviews are designed to work well with this capability, but are technically not part of PIM. With Access Reviews, you can periodically review whether users should continue to have permissions.
This entirely depends on the specific configuration in place for the role or group in question.
A common configuration at the UW requires only justification from the optional controls. This configuration is common because Duo is generally expected external to PIM, and workflow approval can introduce unacceptable delays. When this is the configuration, a user who attempts to use the controlled privilege will receive errors suggesting they don’t have the privilege. To activate, they must navigate to the Privileged Identity Management, My roles page. On that page, they choose the appropriate workload (Azure AD roles, Groups, Azure resources) for what they want to activate.
A walkthrough for each of the 3 workloads is in this Microsoft documentation:
- Azure AD roles: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-activate-role
- Azure AD groups: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/groups-activate-roles
- Azure resources: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles
Note that there is an interactive and API method for each of these workloads, so activation is appropriate for interactive and non-interactive scenarios.
Once activated, access tokens for existing sessions should automatically update to reflect the newly activated permissions.
Common patterns and how to leverage PIM
The combination of an Azure AD sourced group, PIM activation, and Azure AD Access Review provide a strong access control combination to help ensure only the right people have access at the right time. However, it is possible to use a UW group with PIM, if an Azure AD Access Review is not required.
PIM or this combination takes more effort to setup, requiring UW-IT involvement, so we do ask that customers limit requests for this capability to scenarios which justify the extra effort. PIM and Access Reviews do require the user to have UW Microsoft Advanced Service Level to satisfy Microsoft licensing requirements. To request PIM or the combination noted, please open a request to UW-IT (email@example.com) with a subject line of “Microsoft Infrastructure: PIM”, with the details of your scenario.