	Shaun Liu: Hello everyone. We hope you enjoyed 
	our previous video on what is Privileged Identity 
	Management. In this video, we will be going over 
	how you can deploy Privileged Identity Management 
	for your organization. For this particular video, we 
	will be showing PIM for Azure Resources. Keep in 
	mind that PIM also supports AzureAd and Office 
	365 roles through the same user interface. 
	Steve Lieberman: The very first thing all customers 
	should do right after they turn on PIM is to 
	discover Resources. So, I’m going to take you 
	through a demo on discovery. But before we get 
	to the discovery piece, I’m going to show you one 
	thing that all global administrators or Privileged role 
	administrators should before they get started. 
	As you’ll see, I’m on the Azure Portal. I’m going to 
	navigate to Azure Active Directory and because I’m 
	a Global Administrator, I’m going to scroll down on 
	the left-hand side of the menu and select properties. 
	And within these properties, you’ll notice an option here 
	at the bottom of the page that says access management 
	for Azure Resources. By enabling this feature, you’re 
	essentially giving the logged in user the ability to see 
	and manage all the Azure Resources in your 
	organization. This is a critical first step in controlling 
	identity and access management for Privileged 
	Resources in your organization. Once I’ve done this, 
	I’ll now have the ability to see all of those resources 
	and manage them, so, I’m going to jump over to 
	Privileged Identity Management. I already have that 
	open in a previous tab. And I’m going to scroll down to 
	Azure Resources. And when that loads, you’ll see that 
	I already have a Resource loaded here. I’m already 
	managing this Resource within PIM. But if I needed 
	to see additional resources or bring new resources 
	into management, I’m going to click on this discover 
	resources tab in the very top bar. 
	You’ll notice that in this demo I don’t have any resources 
	that need to be managed at this point. But I’ll change this 
	filter to show all the resources that would be in 
	discovery. And you’ll see that vie already chosen this 
	particular subscription. Additionally, we support 
	management groups as well. And when you choose to 
	manage a resource in discovery, it manages all the child 
	resources as well. So, that means that you can 
	make assignments for Privileged roles at the Resource 
	group or Resource level. 
	Now that I’m managing this particular subscription, 
	I’m going to go ahead and make an eligible assignment. 
	I’m going to give Shaun access to this subscription so 
	that he can help me build a website. I’m at the 
	dashboard for this particular subscription and I’m going 
	to select roles. And because Shaun’s helping me, 
	I’m not expecting him to deploy any resources 
	or manage billing, so I’m going to give him the 
	contributor role. This gives him the most freedom 
	to do the things that he needs to do. And I’ll be 
	using the search bar to find the contributor role. 
	Once I’m on the contributor role blade, I’m going 
	to click add member. 
	And under the select a member or group, I’m going 
	to find Shaun. Now I could also choose a group 
	which may make it easier to manage going 
	forward. 
	But I found Shaun here and I’m going to click select. 
	And by default, PIM makes these assignments 
	eligible. I have the ability to change this 
	eligibility tab to active which would mean that 
	Shaun wouldn’t be required to activate this role. 
	But I’m going to go ahead and accept these defaults. 
	And click add. 
	And there you can see that Shaun is now an eligible 
	member of the contributor role for this 
	subscription. 
	Shaun: Thank you, Steve for giving me that 
	contributor role. So, now I am going to show you 
	how an eligible member can actually go in and 
	activate their role and use that role. So, to start with, 
	after landing on the Azure portal, you can go to 
	Privileged Identity Management just like how Steve 
	went in there to configure the admin policies. And 
	once I’m in here, instead of actually going to Azure
	Resources like what Steve did, I’m going to my roles. 
	In this section, I will actually be presented with all the 
	roles that I’m eligible and active for. So, for example, 
	the first tab here is the AzureAd roles, these are the 
	roles which are both the Azure Active Directory roles 
	and the office 365 roles which I’m assigned with. And 
	you can see on the tabs, we have the eligible roles, 
	which I can actually go and activate into as well as the 
	active roles which I permanently have access to. Now 
	because Steve actually assigned me to a Resource 
	role, I’m going to go into the Azure Resources role 
	section. And you can see here that I have a list 
	of roles that I’m actually eligible for. Now to show 
	what I need to do, I will need to go and activate 
	this contributor role that Steve just assigned me to. 
	So, if I click on activate, I will now be presented with 
	this screen where I will be prompted with things 
	I need to complete depending on the configuration 
	set forward in the role setting. For example, over 
	here, the role setting requires me to perform 
	Multi-Factor Authentication. So, I’m going to click 
	on verify your identity before proceeding and 
	verify my identity. So, this basically kicked off an 
	MFA process and it is going to come into my 
	phone as a code. 
	So, now that I am inside the MFA and have gone and 
	succeeded MFA, I’m going to go ahead and finish 
	everything else I need to give in order to activate 
	my role. So, for this particular role, the configuration 
	is that I need to provide a reason. So, for the reason, 
	I’m going to put; I want to make edit to the website. 
	And you can see here that I could also toggle between 
	zero and eight hours for the duration of my activation. 
	What this means is that after the activation completes 
	and the activation period is over, I will be removed 
	from the role automatically. So, I’m going to put 
	myself for six hours and go ahead and activate 
	that role. You can see now that we’re going through 
	two stages of activation and once that is complete, 
	I can sign out and log back in. The reason why we 
	require users to actually sign out and log back in 
	is because there is commonly a delay when it comes 
	to using PIM after activating the role. And so, I’m 
	going to log into my account. 
	So, we can assume now that after logging in that 
	I actually have the contributor role access. Now 
	I am going to and make a change to Resource 
	Group’s tag. So, if I find Resource Groups and 
	go in here. Now you can imagine that before 
	I activated my contributor role, I actually couldn’t 
	see this resource Group because I didn’t have the 
	correct role to perform this action. But now that my 
	role is activated I can go into the Resource Group 
	and I can go into tags and I can edit my tags and 
	make an update. So, for example here, I want 
	to add a tag to value and I can click save. 
	As you can see, with the activated role, I’m able to 
	perform everything necessary in my Resource. 
	I can also show you how PIM has an audit trail 
	for my audit. So, going back to Privileged Identity 
	Management, you can see here there’s my audit 
	history. Now I clicked into my audit history, 
	I will be able to see a detailed log. So, this is the 
	AzureAd logs and I’m going to go into the Azure 
	Resource logs. Once in, you can see a detailed 
	history of everything that happened inside PIM, 
	for example, I was added to a role just now, to 
	the contributor role as well as a I was assigned 
	to an eligible role by Steve. So, that is everything 
	an eligible member needs to do when it comes 
	to using Privileged Identity Management. Now 
	I’m going to pass it back to Steve who will continue 
	to show more about admin configurations. 
	Steve: Thanks Shaun. I’m going to go back into 
	the contributor role, as you can see on my 
	screen, and you can see that this is where we 
	left off with Shaun assigned as eligible to the 
	contributor role. Now Shaun just did a bunch of 
	stuff on an Azure Resource, I’m interested in finding 
	out what exactly he did. So, I can go ahead and click 
	on Shaun’s identity here and you’ll see that there’s 
	been some activity. We have a bar chart that 
	shows the Resource activity as well as his 
	historical role activations. You can see that it was 
	just a few minutes ago. Now when I click on one of 
	these bar charts here, I get a full view of all the 
	identity related information specifically within PIM 
	as well as the Azure Resource activities that Shaun’s 
	done since he’s activated. So, we’re going to go 
	ahead and actually do what’s called an admin 
	removal. So, when I click on contributor and I click 
	on active roles, I can see that Shaun’s role 
	appears here. Rather than removing Shaun 
	completely from the role, I can actually deactivate 
	Shaun from his active assignment and his eligible 
	assignment will remain. So, here I just click on 
	remove and yes. And now Shaun is no longer active 
	in the contributor role. He still has the eligible 
	assignment and he can still activate his role in the 
	future if he so needs to. 
	And lastly, I’m going to show the settings of this 
	particular role so that Shaun had to perform MFA, 
	I’m going to go head and show you the various 
	settings that we enable for all roles within Azure 
	resources. 
	Here you can just see a view of the roles setting 
	details but I’m going to go ahead and actually click 
	the edit button. You need to be an owner or a 
	user access administrator in order to make changes 
	or modifications to the settings. We divide settings 
	into two distinct categories. The first category 
	is assignment and these settings apply specifically 
	to the assignment itself. The second category is 
	activation and those apply only to the individual 
	that is activating their role. On the assignment, 
	the first checked box is to allow permanent 
	assignments—permanently eligible assignments. 
	This means that the individual that you’re assigning 
	to the role can be permanently assigned as 
	eligible. They will forever be able to activate 
	that role. If this is unchecked, the drop down below
	it will enable you to select a default duration, 
	maximum duration that the user can be assigned 
	as eligible to the role. The same settings apply for 
	active assignments and you can see those two options 
	below. And lastly, you have required Multi-Factor 
	Authentication on active assignment as well as 
	require Justification on active assignment. Requiring 
	Multi-Factor Authentication on active assignments 
	is especially useful for those that you would assign 
	for over a month. You would want to make sure 
	the individual that is doing the assignment is who 
	they say they are. 
	Scrolling down and moving onto activation, we 
	have the activation maximum duration in hours. 
	This can be configured for anywhere between one 
	hour and 24 hours. This means that when Shaun 
	activates his role, will be able to activate 
	for any duration within the maximum that’s 
	specified here. Additionally, we have the Multi-Factor 
	authentication options as well as Justification. 
	And lastly, we have approval to activate. The 
	approval workflow will apply to all members or 
	users that are assigned once configured. I’m going 
	to enable the approval workflow here and then I’m 
	going to go ahead and select a group and all of 
	the members of this particular group will receive 
	that approval request when it comes through. 
	And I just updated these settings. So, the settings
	once they’re updated, we keep a log of all of the 
	role settings that get changed and modified within 
	the system itself. And here you can see that I 
	was the last one to update the contributor role. 
	Shaun: Now that you have learned about how to 
	deploy Privileged Identity Management for your 
	organization, join us in our next video where we 
	will share some answers to commonly asked 
	questions when it comes to operationalizing 
	PIM.
