Mastering Temporary Access with Microsoft Entra Privileged Identity Management

Ever wished there was a way to grant your team just the right amount of access, just when they need it? Privileged Identity Management (PIM) in Microsoft Entra is here to save the day! PIM helps organizations manage, control, and monitor access to critical resources. By providing just-in-time privileged access, PIM ensures users get the permissions they need, only when they need them. Say goodbye to unnecessary risks and hello to enhanced security!

Importance of PIM in Managing and Securing Privileged Access

Think of managing privileged access like guarding the keys to your kingdom. Too many keys floating around can spell trouble—security breaches, data leaks, and compliance headaches galore. That's where PIM steps in, swooping down to enforce time-bound access, approval workflows, and thorough auditing. It’s like having a security superhero on your team, ensuring that elevated permissions are only granted when absolutely necessary and for a limited time. But PIM is not just about security; it’s also about empowerment. It enables users to self-service and obtain the access they need, when they need it, making them more efficient and effective in their roles.

Definitions and Key Features of PIM

Privileged Identity Management (PIM) is a service within Microsoft Entra that enables you to manage, control, and monitor access to important resources. Key features include:

• Just-in-Time Access: Grants users permissions only when needed.
• Time-Bound Access: Ensures elevated privileges are temporary, reducing risks.
• Approval Workflow: Allows setup of approval processes for granting privileged access.
• Access Reviews: Regular reviews and audits to ensure compliance.
• Comprehensive Auditing: Tracks activities related to privileged access, ensuring transparency and accountability.

Common Scenarios

Let's review some common scenarios where PIM may be helpful, and when there are better options. PIM is best utilized where access is very short, as in a few hours. Most administrative tasks that we want to utilize with PIM are likely not going to stretch over days or weeks.

• Temporary Administrative Tasks: Assigning temporary roles like configuring user mailboxes or system maintenance.
• Emergency Access: Provide just-in-time access to backups of your primary employees.
• Contractor Access: Providing contractors with rights needed to complete tasks while enabling a strong level of auditing.
• Compliance Audits: Temporarily giving auditors or compliance officers who need to review sensitive systems and data.
• Seasonal Work: Granting access to seasonal employees or interns may seem like a good use case for PIM, and this is a scenario where PIM could be coupled with an Access Package to provide the needed access.
• Project-Based Access: Granting elevated access to a group of users might seem like a perfect use case for PIM, but in fact setting up Access Packages is a much better approach for this use case. Access Packages can be used for internal users as well.
• Cross-Department Collaboration: PIM isn't just about privileged access. It can also be used to provide access to groups and Azure resources. Longer term collabs might be a better use case for access packages, but short term (day long) access might be a good option for PIM.

Licensing

At the time of writing, utilizing PIM requires that the configuring user, and the user assigned a PIM role both have a Microsoft Entra ID P2, Microsoft Entra ID Governance, M365 E5, or Enterprise Mobility + Security E5 license. 

Setting up a Microsoft Entra Role for PIM

Before we can assign a role to a user or group, we need to configure how that role is assigned. Let's walk through setting up the Exchange Admin role as an example.

Step 1: Manage Roles

1. Navigate to the Microsoft Entra Admin Center.
2. Navigate to Identity Governance -> Privileged Identity Management.
3. In PIM, select "Microsoft Entra roles", then select "Roles" under Manage.
4.  Find the Exchange Administrator role from the list and select it.
5. Select "Settings" or "Role Settings" to configure how PIM will manage the role.

Step 2: Configure Role Settings

1. Under the Activation menu:
   • Set the Activation maximum duration (hours) - Users will be able to select access time up to this amount.
   • On Activation, require - MFA, always require MFA, unless you have a conditional access context you want to use.
   • Choose to require justification, include ticket information, and whether approval is needed.
     • Any user can approve, even non-admin users. This is great for allowing supervisors or project leads to approve access.
2. Move on to "Assignment". This determines how this role can be assigned, now that PIM is managing the role, this will affect any future assignments of this role.
   
   • Choose to allow permanent eligible assignments - This means that a user can be permanently assigned the ability to elevate their permissions.
   • Choose to allow permanent active assignments - This is whether or not user can be assigned the role without the need to elevate. There may be some roles in your organization that you never want permanently active, such as Global Administrator.
   • Check the box for "Require Azure Multi-Factor Authentication on active assignment".
   • Choose whether active assignment also requires justification - This might be useful when auditing roles later on.
3. Move on to "Notification". This section determines who gets notified and for what. This table can seem very redundant and confusing at first. Let's go through this section one part at a time.
   • Default recipients: Users that Microsoft believes should be notified.
     • Admin - Typically Global Admins.
     • Assignee - The user who is assigned the role.
     • Approver - If the roles requires approval, then email the assigned approver or group of approvers.
   • Additional recipients:
     • Users or groups in this list, separated by semicolon, will receive emails.
     • It is possible to uncheck the Default recipient and use these recipients instead.
   • Critical emails only:
     • PIM will also send emails when action is required, for example, approvals, role extensions, etc.
   • We recommend receiving alerts for "Role activation alert" as this can help ensure users are properly activating roles with correct justification and for auditing purposes.
4. Select Update to return to the assignments screen.

Step 3: Assigning Roles

1. Select "Add assignments" from the top of the screen.
2. Add the members or groups that you want to assign to role

In order to assign a group, the group has to be created with the "Microsoft Entra roles can be assigned to the group" property enabled. This option is permanent and can't be changed once the group is created.

3. In the settings section select the following:
   • Assignment type
     • Eligible: The user can escalate privilege into this role, but doesn't have the access all the time. 
     • Active: The user always has the permissions assigned by this role.
   • Assignment length
     • Permanently eligible/active: The user always has this role.
     • Temporary access: Define a start and end date and time that the access will be assigned. This is great for projects or interns may need to be able to temporarily elevate their rights.
4. Depending on your notification settings, the user will get an email letting them know they have been assigned the role. The email will have a "View or activate role" button that the user can click to easily get to their role.
5. You can remove or updated a role assignment from the assignments screen.

Monitoring and Managing Privileged Access

We can review assignments and eligibility for all roles in Microsoft Entra Privileged Identity Management -> Microsoft Entra Roles -> Manage -> Assignments. From this screen we can also revoke any active role escalations. Remember to occasionally remove any users who no longer need assignments.

To audit any role activations, approvals, etc. we can go to Activity -> Resource Audit.

We can then correlate the timestamps with our M365 audit log in Microsoft Purview to determine which actions were taken by the user while they had the role.

Conclusion

In this guide, we've explored how Microsoft Entra Privileged Identity Management (PIM) enhances security and empowers users by granting just-in-time, time-bound access to critical resources. By effectively managing roles and groups, configuring approval workflows, and conducting regular access reviews, PIM helps organizations minimize risks while enabling users to self-service their access needs.

PIM is not just about securing access but also about enabling productivity and efficiency. By adopting PIM, you can transform your organization's approach to privileged access management, ensuring a balance between security and empowerment.

PIM takes some forethought and planning to implement properly. There are many business use cases and best practices when it comes to assigning roles, groups, and azure resources. If you need assistance setting up PIM for your organization, drop us a line.