{"id":10859,"date":"2018-09-19T11:02:37","date_gmt":"2018-09-19T18:02:37","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=10859"},"modified":"2023-06-15T15:03:45","modified_gmt":"2023-06-15T22:03:45","slug":"using-azure-ad-privileged-identity-management-for-elevated-access","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/using-azure-ad-privileged-identity-management-for-elevated-access\/","title":{"rendered":"Using Azure AD Privileged Identity Management for elevated access"},"content":{"rendered":"
\n
\n
<\/div>\n

This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft.<\/p>\n<\/div>\n<\/div>\n

Microsoft uses Azure Active Directory (AD) Privileged Identity Management (PIM) to manage elevated access for users who have privileged roles for Azure services. We manage privileged identities for on premises and Azure services\u2014we process requests for elevated access and help mitigate risks that elevated access can introduce. With Azure AD PIM, we can implement just-in-time access for privileged roles in Azure and view audit logs. Before Azure AD PIM, privileged roles in Azure were always elevated.<\/p>\n

Throughout Microsoft, there are employees who require elevated access to Microsoft Online Services, Microsoft Azure, and on-premises services that they own, manage, or support. At Microsoft Digital,\u00a0we knew that we needed to manage any potential risks that elevated access can introduce, such as \u201cpass the hash\u201d or credential theft. We wanted to better manage privileged identities and monitor elevated access for cloud resources.<\/p>\n

Microsoft doesn\u2019t allow persistent elevated access, so we use the Azure Active Directory (Azure AD) Privileged Identity Management (PIM) feature of just-in-time role activation (JIT) to temporarily elevate the role-based access as needed for a defined time. Before the release of Azure AD PIM, our Azure Active Directory administrative roles had persistent elevated access, monitoring was limited, and we didn\u2019t have a fully managed lifecycle.<\/p>\n

Azure Active Directory uses administrative roles to control access to various features within the tenant. Recent changes introduced in Azure AD PIM have enabled a cloud-based, JIT tool for Azure Active Directory administrative roles as well as Azure administrative roles. Both Azure Active Directory administrative roles as well as Azure administrative roles can be assigned and remain inactive until needed. We configured Azure AD PIM, available with the Premium P2 edition of Azure AD, to help us manage and monitor our Azure AD administrative roles through the Azure portal.<\/p>\n

Identity management at Microsoft<\/h2>\n

Identity management at Microsoft encompasses all process and tools used to manage the lifecycle of all identities for all our corporate employees. Of the roughly 285,000 identities that we currently manage at Microsoft, there are approximately 10,000 on-premises accounts and 400 Azure AD accounts of users who require elevated access to data and services. When we started using PIM, we did an attestation to reduce the number of individual users who might need individual assignments. Since then, we have reduced the number of users who are candidates for global administrator by 83 percent, and removed all persistent users (except for a break-glass account) from the global-administrator role. We regularly add more roles that require elevated access, so we\u2019ve seen the number of managed users grow slowly but consistently.<\/p>\n

Privileged Identity Management focuses on the tools and processes we use for a subset of users that have administrative\u2014or elevated\u2014access to on-premises and cloud-hosted data and services at Microsoft.<\/p>\n

Reducing the attack surface<\/h3>\n

There are a couple of obvious ways we can look at reducing the risks, or attack surface, of elevated access\u2014by reducing the number of accounts or the duration that an account has elevated access. We rationalize incoming requests for elevated access, but we can\u2019t necessarily reduce the number of people that require it to do their jobs. We\u2019ve adopted the strategy of reducing risks by giving employees just enough access to the resources that they need, for only as long as they need it. At Microsoft, the only people who are authorized to assign others to roles are Privileged Role Administrators. We monitor unauthorized assignment of roles, and the addition of users who are not authorized to be assigned to roles. If anyone else tries to assign a role, it is automatically flagged as a violation of role-assignment policy.<\/p>\n

Typically, the more elevated access a privileged role has, the more rigorously we protect it. At the front end of the process, the review board spends more time evaluating requests for more privileged roles. The employee request process requires multiple levels of approvals. After the request is approved, we can require tighter controls, including multifactor authentication or physical credential, like smart cards. We also set shorter access durations through JIT access.<\/p>\n

Azure AD PIM<\/h2>\n

By configuring Azure AD PIM to manage our elevated access roles in Azure AD, we now have JIT access for more than 28 configurable privileged roles. We can also monitor access, audit account elevations, and receive additional alerts through a management dashboard in the Azure portal.<\/p>\n

Elevated access workflow<\/h3>\n

Elevated access includes job roles that need greater access, including support, resource administrators, resource owners, service administrators, and global administrators. We manage role-based access at the resource level. Because elevated access accounts could be misused if they\u2019re compromised, we rationalize new requests for elevated access and perform regular re-attestation for elevated roles.<\/p>\n

At Microsoft, when an individual joins a team or changes teams, they might need administrative rights for their new business role. For example, someone might join a team in which their user account will require Exchange Online Administrator privileged access rights in the future. That user makes a request, then their manager validates that user\u2019s request, as does a service owner. With those approvals, Microsoft Digital administrators in the Privileged Role Administrator role are notified. A Microsoft Digital administrator uses Azure AD PIM via the Azure Portal to make that user eligible for that role. The user can then use Azure AD PIM to activate that role.<\/p>\n

Figure 1 shows a diagram of the elevated access workflow.<\/p>\n

\"Azure
Figure 1. Azure AD PIM elevated access workflow<\/figcaption><\/figure>\n

The following table describes the processes we use for granting elevated access for both on-premises and cloud-hosted resources. We\u2019re currently building a solution that will combine the on-premises and Azure AD elevated access workflows into a single workflow with a centralized management point. For more information, see the \u201cLooking ahead: Expanding use of Azure AD PIM\u201d section later in this article. Microsoft Digital and the product group are working together to automate the request-access process.<\/p>\n

Table 1. Elevated access processes<\/h3>\n\n\n\n\n\n\n\n\n\n\n
Process<\/strong><\/th>\nOn-premises<\/strong><\/th>\nAzure<\/strong><\/th>\n<\/tr>\n<\/thead>\n
User request<\/td>\nEmployee submits access request through online form.<\/td>\nEmployee submits access request through online form.<\/td>\n<\/tr>\n
Request review<\/td>\nManagement reviews request and approves or denies it. Online training and multiple levels of approval might be required, based on the type of request.<\/td>\nManagement reviews request and approves or denies it. Online training and multiple levels of approval might be required based on the type of request.<\/td>\n<\/tr>\n
Approval<\/td>\nUser is added to the approved elevated access silo for the requested resource in the web portal that manages on-premises privileged access.<\/td>\nUser is added to the approved elevated access role for the requested Azure or Microsoft Online Services resource in Azure\u02daAD PIM.<\/td>\n<\/tr>\n
Notification<\/td>\nSent via email to employee.<\/td>\nSent via email to employee.<\/td>\n<\/tr>\n
Employee performs elevated action<\/td>\nEmployee signs in using multifactor authentication and the on-premises JIT tool elevates their privileges for a specific time-bound duration.<\/td>\nEmployee signs in to the Azure portal to manage their resource using multifactor authentication, and Azure AD PIM elevates their privileges for a specific time-bound duration.<\/td>\n<\/tr>\n
Monitoring<\/td>\nMonitoring team tracks elevations using web portal.<\/td>\nMonitoring team views elevations in the Azure AD Privileged Management dashboard.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

JIT administrator access<\/h3>\n

Historically, we could assign an employee to an administrative role through the Azure portal or through Windows PowerShell and that employee would be a permanent administrator; their elevated access would remain active in the assigned role.<\/p>\n

Azure AD PIM introduced the concept of permanent and eligible administrators in Azure AD and Azure. Permanent administrators have persistent elevated role connections; whereas, eligible administrators have privileged access only when they need it. The eligible administrator role is inactive until the employee needs access, then they complete an activation process and become an active administrator for a set amount of time. We\u2019ve stopped using permanent administrators for named individual accounts, although we do have some automated service accounts that still use the role.<\/p>\n

Role activation in Azure Active Directory<\/h3>\n

Azure AD PIM uses administrative roles, such as tenant admin and global admin, to manage temporary access to various roles. With Azure AD PIM, you can manage the administrators by adding or removing permanent or eligible administrators to each role. Azure AD PIM includes a number of built-in Azure AD roles as well as Azure that we manage.<\/p>\n

To activate a role, an eligible admin will initialize Azure AD PIM in the Azure portal and request a time-limited role activation. The activation is requested using the\u00a0Activate my role<\/strong>\u00a0option in Azure AD PIM. Users requesting activation must satisfy conditional access policies to ensure that they are coming from authorized devices and locations, and their identities must be verified through multi-factor authentication.<\/p>\n

To help secure transactions while enabling mobility, we use Azure AD PIM to customize role activation variables in Azure, including the number of sign-in attempts, the length of time the role is activated after sign-in, and the type of credentials required (such as single sign-in or multifactor authentication).<\/p>\n

Tracking the use of privileged roles using the dashboard<\/h3>\n

A dashboard through the Azure portal gives a centralized view of:<\/p>\n