Implement PIM on Azure Subscriptions and Resources

Abhi Bothera
7 min readApr 6, 2023

--

Azure Active Directory Privileged Identity Management.

Azure Active Directory Privileged Identity Management

What is Azure AD Privileged Identity Management?

Privileged Identity Management or PIM is a service in Azure Active Directory that enables us to:

  1. Manage, control, and monitor access to important resources.
  2. Provide just-in-time privileged access to resources and directory.
  3. Assign time-bound access to resources using start/end dates.
  4. Require approval to activate privileged roles.
  5. Enforce Multi-factor Authentication to activate any role.
  6. Use justification to understand why users activate.
  7. Get notifications when privileged roles are activated.
  8. Conduct Access Reviews to ensure users still need roles.
  9. Download audit history for internal/external audit.

Requirements

Using PIM requires Azure AD Premium P2 licenses.

Pre-requisites

Activate Azure AD Premium P2

1. Go to Azure Active Directory > License > Start Premium P2 Free Trial.

2. Upon activation of the free trial, you’ll get a notification.

3. Validate the changes in the Azure Active Directory

Pro tip!
Always use Azure AD Groups wherever possible to manage access across Azure. This will ease your life when the users decide to move on or when you expand.

Create an AD Security group for the users who would be accessing the environment using PIM.

1. Go to Azure Active Directory > Groups > Click on New Group.

2. Select Security Group > Add Owners > Add Members > Create.

*** Owners will be able to add or remove people from the Groups, Members will be assigned the IAM Roles.

Assign the Licenses to PIM Users and Approvers

1. Go to Azure Active Directory > Licenses > Click on Azure Active Directory Premium P2.

2. Click on Assign.

3. Look for your AD Security Group > Hit Select.

4. In the Assignment options, make sure that atleast Azure Active Directory Premium P2 is turned on.

5. Review and Assign.

6. Validate the number of licenses assigned to the members of the AD Group.

Discover the Subscriptions/Resources for PIM implementation.

1. Go to Privileged Identity Management > Azure Resource.

2. Click on Discover Resources.

3. In the Discovery, Select all the Subscriptions/resources that need PIM implementation > Click on Manage resource.

4. Upon onboarding of the selected resources, you’ll receive a notification.

5. Validate if the resources have been onboarded. Go to PIM > Azure resources.

PIM Implementation

PIM role assignment

1. Go to Privileged Identity Management > Azure Resources > Click on the Subscription you want to implement PIM for.

2. Go to Roles in the left blade.

3. Look for a Role that you want to customize, for instance, Contributor > Click it open.

4. Click on Add assignments.

5. Select the AD Security Group/ individual AD users > Hit Select.

6. In the Setting blade > Choose Assignment type as Eligible and enter a time range for which the users should be able to request for PIM (maximum 1 year) > Hit assign.

Configure PIM Role settings.

1. Go to Privileged Identity Management > Azure resources > Select the Subscription/resource > Go to Settings in the left blade > Choose the PIM Role, for instance, Contributor.

2. In the Role setting details for the selected PIM Role > Click on Edit.

3. In the Edit Role setting > Choose the Maximum Activation Time (Maximum time duration for which a PIM user can request for role), require justification checkbox, require approval (for a PIM approver to validate the request and approve if that’s legit) > Add the PIM Approvers.

*** There is an option to extend an active assignment in case there is a need to increase the time duration.

4. Choose between permanent eligible assignment and time duration for eligible assignment (assignment will be automatically removed after specified duration) > Check on Require Justification on active assignment > Hit Next.

5. In the Notification blade, you can choose the recipients that are required to be alerted when a PIM request is raised as well as approved. There is an option to add UPN apart from the default groups > Click on Update.

6. Validate the Modifies role in the Settings blade.

Raise a PIM request:

Requirement:

User should be a member of the AD Group that has been assigned the Modified Role and must have a justification for raising a PIM.

Steps to raise a PIM request:

1. From a user with required PIM requestor access, go to Privileged Identity Management > Activate just in time > Activate.

2. Go to Azure resources > Choose from the available resources and roles > Click on Activate.

3. Choose the Time duration for which the access is needed > In the Justification box, provide a valid reason > Click on Activate.

4. Upon raising of request, you’ll receive a notification on Azure Portal as well as an email communication on the UPN.

5. Validate the current status of your PIM request under Azure resources.

Approve/Deny an Eligible PIM Request.

Requirement:

PIM Approver Role (To be added as a PIM approver on the PIM modified Role)

*** A PIM requestor cannot approve or deny his own PIM even if he has a PIM Approver Role.

Steps to Approve a PIM Request:

1. From a user with required PIM Approver rights, go to Privileged Identity Management > Approve requests.

2. Under Approve requests > Go to Azure resources > Check the request you want to approve > Validate the provided reason for raising the PIM request.

3. If the reason is valid, click on Approve and provide a justification.

You’ll receive an Azure notification when the PIM request is approved, and all the mentioned recipients will receive an email notification.

Steps to Deny a PIM Request:

1. From a user with required PIM Approver rights, go to Privileged Identity Management > Approve requests.

2. Under Approve requests > Go to Azure resources > Check the request you want to approve > Validate the provided reason for raising the PIM request.

3. If the provided reason is invalid, click on Deny > Provide a Justification > Click on confirm.

You’ll receive an Azure notification when the PIM request is denied, and all the mentioned recipients will receive an email notification.

Note: Similarly, PIM can be implemented for Azure AD Roles as well as Groups.

References:

  1. Microsoft Learn
  2. Hanu: Azure Cloud Service Provider | MSP Expert
  3. Computer Hardware, Software, Technology Solutions | Insight

In case of any questions or concerns, find me at abhibothera.github.io.

About me:

Senior Cloud Engineer | 7x Microsoft Azure Certified | Solutions Architect | Azure DevOps | AVD | Security | Former Research Scholar at Georgia Tech.

--

--