As a best practice, most security professionals recommend administrative users have two accounts - one for administrative tasks and a second account for all other tasks. This ensures that things like email that can be a vector for malware are kept separate from the account with administrative rights. Unfortunately, this creates a hurdle for many environments, in that the additional time and effort taken to manage and use two accounts for all administrative users becomes problematic.

To help to address this issue, Microsoft has created the Privileged Identity Manager (PIM) for use in the Azure environment. It allows a single account to be used for all of the tasks that an administrative user needs to accomplish while not allowing the administrative user excessive rights at all times. The user must request the use of the rights when they are needed and they automatically are removed after a predetermined time passes. Add to this, the PIM system audits use of these additional rights to ensure that they are used properly.

With Azure Privileged Identity Manager, the use of elevated rights to manage the Azure environment can be managed and monitored while maintaining only a single account for administrative users. The users must request to use the elevated rights they are assigned as they need them and the rights are time-limited to prevent the administrators from using them indefinitely and effectively enforcing a separation of duties by ensuring that the rights are limited except when they are specifically required to manage Azure.

The use of the PIM system is audited and reports may be used to show who is using elevated rights and for what purposes. There is a wealth of data collected and available to you from within PIM, and there are a wealth of options available to you for gaining access to this information.

To ensure that the PIM administrator(s) are aware of what PIM is being used for and how frequently, PIM tracks this usage and you can then review the activity of the system by individual users:

1. Open Azure AD Privileged Identity Management console at https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade
2. Select Azure resources.
3. Select the resource you want to view activity and activations for.
4. Select Roles or Members.
5. Select a user.
6. Select a specific role activation to see details and corresponding Azure resource activity that occurred while that user was active.

In the event that an administrator wants to import the PIM role assignments into another environment or have them available to review manually, the role assignments can be exported with their child resources as follows:

1. Open Azure AD Privileged Identity Management at https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade
2. Select Azure resources.
3. Select the resource you want to export role assignments for, such as a subscription.
4. Select Members.
5. Select Export to open the Export membership pane.
6. Select Export all members to export all role assignments in a CSV file.

In scenarios where excessive or inappropriate access of a resource may have been granted, it may be helpful to review the history of role access to that resource. This is the steps needed to review that access history:

1. Open Azure AD Privileged Identity Management at https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade
2. Select Azure resources.
3. Select the resource you want to view audit history for.
4. Select Resource audit.
5. Filter the history using a predefined date or custom range.
6. For Audit type, select Activate (Assigned + Activated).
7. Under Action, click (activity) for a user to see that user's activity detail in Azure resources.

If a user of PIM wants to review their own account's activity for any reason, the following allows for this review:

1. Open Azure AD Privileged Identity Management at https://portal.azure.com/#blade/Microsoft_Azure_PIMCommon/CommonMenuBlade
2. Select Azure resources.
3. Select the resource you want to view audit history for.
4. Select My audit.
5. Filter the history using a predefined date or custom range.

Finally, there may be good reason to review increased rights, who approved the increased rights, and finally the ticket numbers associated with increased rights. To review this information, you can do the following:

1. Sign in to the Azure portal with Privileged Role administrator role permissions, and open Azure AD.
2. Select Audit logs.
3. Use the Service filter to display only audit events for the Privileged identity Management service. On the Audit logs page, you can:
   • See the reason for an audit event in the Status reason column.
   • See the approver in the Initiated by (actor) column for the "add member to role request approved" event.
4. Select an audit log event to see the ticket number on the Activity tab of the Details pane.
5. You can view the requester (person activating the role) on the Targets tab of the Details pane for an audit event. There are three target types for Azure resource roles:
   • The role (Type = Role)
   • The requester (Type = Other)
   • The approver (Type = User)

PIM provides a means for controlling administrative access throughout an environment, but without insights into what’s been granted and is being used it’s an imperfect solution. By leveraging the data that can be reviewed via the auditing views described in this post. Our hope is that this will provide insights into PIM usage, potential optimizations to rights assignments and/or process configurations, and give you further insights into how your organization leverages PIM and more generally privileged access.