As a best practice, most security professionals recommend administrative users have two accounts - one for administrative tasks and a second account for all other tasks. This ensures that things like email that can be a vector for malware are kept separate from the account with administrative rights. Unfortunately, this creates a hurdle for many environments, in that the additional time and effort taken to manage and use two accounts for all administrative users becomes problematic.
To help to address this issue, Microsoft has created the Privileged Identity Manager (PIM) for use in the Azure environment. It allows a single account to be used for all of the tasks that an administrative user needs to accomplish while not allowing the administrative user excessive rights at all times. The user must request the use of the rights when they are needed and they automatically are removed after a predetermined time passes. Add to this, the PIM system audits use of these additional rights to ensure that they are used properly.
With Azure Privileged Identity Manager, the use of elevated rights to manage the Azure environment can be managed and monitored while maintaining only a single account for administrative users. The users must request to use the elevated rights they are assigned as they need them and the rights are time-limited to prevent the administrators from using them indefinitely and effectively enforcing a separation of duties by ensuring that the rights are limited except when they are specifically required to manage Azure.
The use of the PIM system is audited and reports may be used to show who is using elevated rights and for what purposes. There is a wealth of data collected and available to you from within PIM, and there are a wealth of options available to you for gaining access to this information.
To ensure that the PIM administrator(s) are aware of what PIM is being used for and how frequently, PIM tracks this usage and you can then review the activity of the system by individual users:
In the event that an administrator wants to import the PIM role assignments into another environment or have them available to review manually, the role assignments can be exported with their child resources as follows:
In scenarios where excessive or inappropriate access of a resource may have been granted, it may be helpful to review the history of role access to that resource. This is the steps needed to review that access history:
If a user of PIM wants to review their own account's activity for any reason, the following allows for this review:
Finally, there may be good reason to review increased rights, who approved the increased rights, and finally the ticket numbers associated with increased rights. To review this information, you can do the following:
PIM provides a means for controlling administrative access throughout an environment, but without insights into what’s been granted and is being used it’s an imperfect solution. By leveraging the data that can be reviewed via the auditing views described in this post. Our hope is that this will provide insights into PIM usage, potential optimizations to rights assignments and/or process configurations, and give you further insights into how your organization leverages PIM and more generally privileged access.
KiZAN is a Microsoft National Solutions Provider with numerous gold and silver Microsoft competencies, including gold security and gold enterprise mobility management. Our primary offices are located in Louisville, KY, and Cincinnati, OH, with additional sales offices located in Tennessee, Indiana, Michigan, Pennsylvania, Florida, North Carolina, South Carolina, and Georgia.