WPNinjas HeaderWPNinjas Header

Implementing Azure AD Privilege Management for Azure IaaS

Two years ago, we implemented AzureAD PIM in our baseVISION infrastructure to rise the security level. But after some time, we recognized, that it has too many drawbacks because the activation of the requested role took sometimes longer than a few hours. Especially in Exchange, Skype or Intune this was a big Problem. Therefore, we had to migrate back and assign the roles permanent. Now in January I discovered that Uservoice Feedback of PIM was updated. So, I started playing around with it again it’s now really working.

This led me to a part in PIM which I have never used. It’s PIM for Azure IaaS resources. I will share my feedback about it in this blog.

Setup

First you must select Azure resources in the PIM console and then click on discover resources if it is not already displayed in the list.
On the discover page you can start managing unmanaged subscriptions by clicking on “Manage Resource”.

 

In my example I did it already, therefore the list is empty.

After that you should see all previously selected subscription as an Azure resource.
When I manage a new subscription, I recommend to check the role settings because the default one are not always optimal.
The settings have to be changed per role. In my environment I assign most often only a few roles to my users. One of them is the owner Role which I select in this example, but you can choose any other role.
On this page you see now the current active settings for this role.

 

In general you have to know, that there are two possibilities at the end to assign this role to users and both have individual settings.

  1. Active
    The user has the specified role active in a defined period. For example, for a week. This is useful during an implementation when the user does not need the role forever.
  2. Eligible
    The user can request the permission in a specific time period, which will then be active for a much smaller time window.

 

Normally both assignment types can only be assigned over a limited time period. But for eligible I normally change this to allow the permanent possibility to request the role.

Allow permanent eligible assignment -> Yes

 

Then depending on the cases I adjust the “Activation maximum duration” and “require multi factor authentication on activation”.

 

Then click on update. Now the role is prepared and we can start assigning a user to it in the next section.

 

Enable Azure PIM for a user

Now it is time to assign the role to a new member. To start, click in Members and the add member.
First select the role. I use the before configured owner role.
Then you can select the users or groups which can request the role.
And in the last step you must choose the assignment type. Like explained above you can choose eligible and active. I choose eligible and set it as permanent. In the next screenshot you see the option which you have when you select the assignment type active.

 

Then click on OK and then Add.

This screenshot is only for your information if you choose active instead of eligible. If you have not changed the default settings, then the maximum duration is set to one month. During this time the user gets the role permanent.

 

Now you see the newly configured assignment. From now the specified users can request the role when signing in with their user account.

 

Note: As you have seen, the roles can always only be granted for the whole collection. So, if a user only should have access to a specific set of resources it’s not possible to use Azure AD PIM.

 

Feedback

Now the PIM functionalities are working without issues for O365 and Azure IaaS. Therefore, we can start really using this solution in our customer environments. It’s a big security benefit.

Follow me

2 Comments

Robert Burton · February 12, 2021 at 16:19

Hi Thomas,
with regards to Azure Resource PIM, have you found a way to document the setup at all?

Regards
Rob Burton
Cloud Security Architect – CCSP

    Thomas Kurth · March 1, 2021 at 14:43

    Hi Robert

    Sadly no, but it’s a good input, perhaps I can add this to my documentation framework.

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.