in this video we go over as you're
privileged Identity Management hello
everyone I'm Travis and this is 
Ciraltos in this video we're going to
configure privileged Identity Management
in Azure before we get started please
take a second to subscribe and like if
you enjoy these videos also click the
bell icon to get notifications of new
content I also want to give a shout out
to Azure flash news for my new favorite
coffee mug if you're not familiar with
Azure flash news they're one of feed
spots top ten podcast check them out at
Azure flash news calm or searched for 
Azure flash news wherever you get your
podcasts let's get started by answering
the question what is privileged Identity
Management or PIM let me start out with
a scenario an exchange admin needs to
add another domain to Azure ad so they
get added to the global admin role the
role never gets removed and now the
exchange admin has global admin rights
or let's say changes are made to a
generic account like the first global
admin account or the break glass account
and there's no way to trace it back to
the user who made the change this is
privileged identity sprawl and it's a
huge security risk this is one of the
problems that Azure PIM is intended to
fix PIM provides the ability for an
admin to enable privileged access only
when needed for a limited amount of time
so depending on how its configured an
admin account won't have admin
privileges until it's enabled enabling
elevated privileges can require MFA
approval from a PIM manager or a
justification for enabling privilege
management PIM provides some common
security best practices including
just-in-time access time bound access
elevated permission approval forced MFA
justifications notifications when
privileged roles are activated in an
audit history for privileged role access
PIM provides a review process for
tracking who has access to privileged
accounts also a way to track when a you
elevates their access with PIM there are
a couple things to know before getting
started with PIM this is an azure ADP to
feature the azure 80 directory needs
enough p2 licenses for privileged role
users approvers and reviewers a p2
license is not required for everyone in
the directory I wish you came with p1
but the added benefit of PIM is worth
the price of the p2 licenses for those
admins who use it there are a couple
terms to understand there are two role
assignment types a role assignment can
be either eligible or active eligible
means that the roles are available to
the user and the user has to perform one
or more action for the role to be
activated an active role assignment
means that the user has the role
assignment and does not have to perform
actions to activate the role it's always
active this is similar to how it works
without PIM but can still be managed
through PIM so auditing and reviewing
still apply this is a good migration
step as you move privileged users from
having active roles to making them
eligible there are two versions of PIM
original and updated experience at the
time of this recording some of the
online documentation seems to be a bit
mixed if you have the original version
there is a sign-up process to onboard
the tenant this requires a global admin
account to enable that account we'll get
the privileged role administrator role
that allows the account to manage PIM I
don't have the previous version of PIM
and will demonstrate the updated
experience there was no activation or
signup for that to work I did give
privileged role administrator role to a
user manually to start using it I walked
through this in the demo
speaking of demos here's what I'm going
to cover on board a PIM administrator in
the updated PIM experience assign an
active role to user view PIM alerts a
sign of eligible role that is time-bound
activate the eligible role assign a
limited time eligible role require
activation approval on a role
activate an eligible role with approval
and create access reviews this will make
more sense as we go through it
Here I am at the azure portal
logged in with an account I set up that
as global admin rights this account will
be used as the PIM administrator so the
first thing I'm going to do is go to all
services and type privilege and here is
as you're a be privileged Identity
Management I'll put a star on that so
now it's in my favorites okay so the
next thing I'm gonna do I'm gonna come
over here because this is the start
using PIM dated a35 2020 which is just
about ten days ago and I want to just
point this out because as he go through
there's some instructions here you
notice that's green where the over here
it's actually purple and it goes to this
page one of the first things you have to
do after going into PIM is consent to
PIM but I had a problem with that
because I don't have that so I don't
have anything that looks like that I
also notice up here it says that I'm
using the updated privileged Identity
Management experience and over here it
doesn't so I've been trying to find what
the proper way of starting PIM with the
new user experiences and honestly I
haven't found much documentation on it
so what this is supposed to do is once
you consent that give Z count that's
logged in the privileged role
administrator role because right now I
don't have that and if I look at my
roles
there's nothing if I go into Azure ad
roles there's really nothing those roles
listed but none of them are active or
eligible at this point it's almost as if
consent was ran but that second part of
assigning somebody the rights to admin
PIM was missing so I think Microsoft's
documentation may be a little outdated
or maybe I did already consent to this a
long time ago and I just don't remember
that could be also but anyway let's work
through that because in the same page if
we come down to configure PIM and grant
access to another to manage PIM let's
follow those instructions and see if we
can make that work
so I'm gonna go to let's see Azure ad
rolls rolls and I'm gonna add a member
for privilege roll administration so
we'll go to Azure ad rolls rolls
let's find privileged privileged role
administrator and add a member will
select a member okay no it's blurred out
but trust me that's the that's the PIM
administrator I set up to manage PIM I'm
gonna select that and I'm gonna change
this to active active means that I will
always be in place we're eligible means
that it can be turned on so I'll type
first pin admin and save and add okay so
that did it
next let's go back to privileged
Identity Management let's start with
tasks my roles list all the roles for
this account as you can see there is
nothing under eligible roles active
roles there's a global administrator and
privileged role administrator and again
the difference between active and
eligible active is just assigned just
like you would do assigning a user to a
role they have that role and they don't
need to request to get that enabled
eligible roles our roles you've assigned
to user that they can request but by
default it's turned off and then expired
roles well that would be roles that are
expired and this account doesn't have
any so we go back to privileged Identity
Management my request and approve
requests these are empty right now and
we'll get back to those later once we
add some requests review access if this
user was assigned to an access review
those would show up here and again we'll
get back to this shortly we're going to
work with Azure ad roles Azure
resources are similar only scoped at
subscriptions and other Azure resources
so next I'm going to go to Azure ad
roles everything under tasks is the same
as what we just looked at let's go to
members
here we can find a member let's just
find this account and we'll select and
again there's no eligible roles but
there isn't couple active roles and no
expired roles so if you wanted to see
what access a specific user had that
could be found under members alerts you
can see I have a couple of them and if
you don't have any alerts you might have
to do scan but here you can see there
are too many global administrators
there's a potential stale account and
yep that is a stale account it hasn't
been used for a while that's one that I
used for a test a while ago so it's just
giving us some information on that
potential issues and if we go into
settings you can see the risk levels and
if there's any active here you can
change settings for an alert or disabled
there's no settings on this one so
that's what alerts are I'm gonna come
back go back to Azure ad roles we're
gonna make a user eligible next so start
out at roles and I'm gonna use global
admin for this and I'll select global
administrator and I'll add a member we
got a test account I'm gonna use and
here are the two options so the
assignment type is either eligible or
active eligible means the account can
request the role assignment but by
default it's off until they enable it
and turn it on active means that it's
just active this behaves similar to how
assigning somebody a role in Azure ad
would work without PEM only you can
select permanent or set it by a time but
for this we're gonna go eligible and
again even with eligible you can set a
deadline or a end time and a start time
but I'm going to leave that permanently
eligible and save and then add the time
bound option is good if somebody is part
of a project maybe temporarily or maybe
you have a consultant coming in and
helping
something you can set an end date so you
don't have to worry about that user
having a privileged identity for a long
period of time okay so let's see how
this works I'm going to open up an
incognito window will go to portal
Dodger comm and Simon as that test user
and this user has MFA enabled already so
I'll prove that on the Authenticator app
so by default this user is not a admin
so if I try to go into Active Directory
and do something like add a user you can
see I don't have permission to do that
so I'm gonna hop back to all services
and type in PIM and here under my roles
and I'll remember I'm logged in as that
test account so it tells me that I have
an eligible role and that is a global
administrator
so if I click activate I can see some
details it gives me a start time and a
duration I can change the duration if I
don't need it for the full eight hours
so I could go down to one and a half and
then it's gonna ask for a reason and
activate this will take a couple seconds
to activate I should add that the entire
time I'm doing this when I make a user
eligible or when I'm activating this
role assignment I'm getting emails the
entire time that this is going on which
i think is a pretty good thing so I as
an administrator I can know what changes
are being made in the tenant so I'm
going to sign out and sign back in
now if I go to Azure Active Directory
and go to users you can see I can now
create a new user I'm not gonna do that
this shows how a normal user can
temporarily elevate their rights to a
role that we've granted them through pin
just long enough to make changes and
then after given amount of time that
role assignment is disabled until it's
requested again okay so that worked
pretty good let's go back and I want to
create a new role assignment this time
for the exchange admin so I'm gonna go
to exchange service administrator and
I'm gonna add a member I'll add that
same account the test-1 account I'm
gonna leave the assignment type is
eligible and I'm going to disable the
permanent eligibility we'll change this
to let's see we'll do this year and
we'll put it out one day so this user
will only be eligible for the exchange
service administrator for one day and
then add and I'm gonna make one other
change I'm gonna go to role settings and
here you can see a list of all the
settings I'm gonna edit so I can change
the duration that's by default it's
eight hours but I can change that to
anything more or less than I want within
a certain amount of time I'll leave it
at 8 I'm gonna require justification on
activation it won't require the ticket
information and require approval to
activate so this is different
I'm gonna require another user to
approve any request remember the last
time the user requested the elevated
permission and it was granted this time
there's going to be an additional step
in the workflow where the user will
request and then somebody has to approve
it before it's granted and I have two
members in here I'm just gonna remove
both and add that P I am there we go
that's the P I am admin
we can go into assignment so here we can
change some of the settings and again
this is changing the role settings for
the exchange service administrator not
just that user but any user who's
assigned to this role will have to
follow these steps so again this isn't
specific to the user it's specific to
the role next we'll go into
notifications and here you can change
notification settings there's quite a
variety of stuff to add or modify you
can add additional recipients and then
quiet it down if you want to but I'm
gonna leave it as is and then let's
update and if we clear out this yucks
here and we look at all the roles I also
want to point out that we can click on
active and we can see we have six global
admins and one privileged role
administrator and then under eligible
you can sort that way as well so if you
want to see how many people are attached
to each role type you can get a quick
look at that here by sorting okay so now
we our user is eligible for the exchange
admin role but an approval needs to be
done so let's go back and log in as that
user again I'm using incognito mode
and I'll approve the sign and request
I'm gonna go back and look for PIM I can
look at my rolls here I can see my
exchange service administrator there's
an end time assigned I can activate and
I have the option to extend and I can
add a reason there that's a request to
extend okay I'm gonna activate now and
I'll add a reason and activate so it
went to pending for approval now if I go
back to privileged Identity Management I
should be able to see that my request
there it is it's waiting for approval
let's go back to the portal signed in as
the PIM administrator here we are back
at the portal as the PIM administrator
and if we go into my requests
there's nothing but if we go into
approve requests there's a section for
request to renew our extend role
assignments and another one to request
role activation and here you can see the
activation request that the other user
submitted if I click on that I can type
in a justification and approve I also
have the option to deny but I'll approve
so the update was sent now if I go back
to the test one user account from
privileged Identity Management if I go
to my request the request is gone if I
go to my roles and click on activate who
tells me the role assignment already
exists so that indicates that I already
have this role assignment and I'm good
to go and in the background there is
also emails I go back and forth so the
user would have been notified that the
activation was approved so that's the
basic of role assignments how to assign
roles how to approve roles how to modify
the role so it requires approval let's
go back to privileged Identity
Management and then go into Azure ad
roles
and go to access reviews we're gonna
create a couple access reviews so the
first one will call this global admin
I'll give it a description there's a
start date you can also set the
frequency if you wanted to do it weekly
monthly quarterly I'm gonna do one time
but weekly or monthly would probably be
a better option in production so this a
review process could happen on a regular
basis if you do select weekly you can
select the duration in days that's the
duration the review will hang out there
and there's also an N by date let's
change that back to one time this one
time review will end on the 22nd so it's
gonna scope to everyone that's the only
option and here I'm gonna pick the role
you can pick one or multiple I'm just
gonna pick the global admin role under
the reviewers you can select a user or
leave it as member itself that's a self
review where the users could indicate if
they still need the role assignment or
not I'm gonna select the users though
and I'll select that PIM admin account
again I'm gonna leave the rest as
default and click start let's click out
and click back on
there's no refresh button so here's the
access review we just created really
we're not getting a lot of information
yet so let's go back to privileged
Identity Management and here under tasks
so again this is relevant to the user
logged in we're going to review access
and if it doesn't show up right away you
may have to click off and click back on
so I'm going to go in so this is a
global admin access review so what I did
is I selected the test 1 user 1 account
trust me that's it and I can deny it
right now or I can put in a reason and I
could approve it I'm actually going to
deny
this account so now that accounts gone
out of the list I'm gonna select the
rest and just put in still in use notice
I have to supply a reason to approve but
not to deny that is configurable so I'm
going to approve those so now this
review is finished I'll go back to
privileged Identity Management go into
Azure a/b access reviews and here we can
see some details now we've got one
denied and if I've approved we can see
the reviewers the settings let's create
another one this time I'm going to do
something a little different because if
we go back to let's see here we go back
to roles and we go to global admins we
can see that test 1 user 1 is still part
of the eligible roles so although I
denied that it's still there so I can
remove them and I'm going to do that now
that user doesn't need to be part of the
global admin anymore so now that users
gone let's go back to we'll go back to
access reviews I'm gonna create another
one and we'll call this exchange admin
again we'll leave it one time
leave everything there select exchange
service administrators and I'll set the
reviewers as the PIM account
just like before so far except upon
completion I'm going to apply results
also notice that if the reviewers don't
respond we have the action to make no
changes remove access approve access or
take recommendations
there's also advanced settings where we
can show recommendations I'm going to
enable that and then require reason on
approval mail notifications and
reminders so once that's all set I'll
click start now that it's done I'll go
back to review access and again this
could just take it a little bit
there's no refresh button so if you
click off and click back on there it is
it just takes a couple minutes to run
now let's go in I only have the test one
user one account listed in the exchange
admin so I know that that's what this
account is if you look under
recommendations now it says approve it
says that this is a lot this user has
logged in once in the last 30 days I'm
gonna select that and I'm going to deny
so now this users denied access if we go
back into Azure ad roles so to access
reviews exchange admin here we are at
the access review you can see that the
one users denied I'm gonna stop it will
click yes we can also see results
reviewers the settings that were used
for this review let's go back to
privileged Identity Management will go
to Azure ad roles and look at roles be
sure to refresh and this could take a
couple seconds to work its way through
now if we go to exchange exchange
service administrator you can see that
there's nobody in the eligible role
active role or expired roles so when we
denied that user through the access
review and then
closed out that review that kicked off
the process to actually remove that role
from the user that does it for this demo
that's the basics of using privileged
Identity Management and Azure that does
it for the video I hope you found this
information helpful don't forget to
subscribe like and click the bell icon
for new content thanks for watching
