How to Get Started with PIM in Azure for Identity Governance

Getting started with Privileged Identity Management (PIM) in Azure is a straightforward process that requires minimal setup.

To begin, you'll need to create a PIM service principal in Azure Active Directory (Azure AD). This can be done by navigating to Azure AD > Enterprise applications > New application > Add a custom application, and then selecting the PIM application template.

Azure AD provides a built-in PIM application template that streamlines the setup process. This template includes preconfigured settings for PIM, making it easier to get started.

With the PIM service principal created, you can then configure the PIM settings, including setting up roles, eligibility, and activation policies.

Understanding PIM is crucial to protecting your organization's sensitive data. PIM concepts in this section will help you understand your organization's privileged identity requirements.

PIM is designed to manage privileged identities, which are identities that have elevated access to sensitive data and systems. Prioritizing protecting Microsoft Entra roles that have the most permissions is essential.

To determine which roles to manage with PIM, you should prioritize protecting Microsoft Entra roles that have the most permissions. Consider what data and permission are most sensitive for your organization.

Roles that have the most permissions include Global Administrator and Security Administrator roles, which are the users who can do the most harm when compromised. These roles should be managed using PIM.

You can use the Privileged label to identify roles with high privileges that you can manage with PIM. The Privileged label is present on Roles and Administrator in Microsoft Entra admin center.

Here are some key roles and groups you can manage with PIM:

Implementing PIM involves planning and preparation to manage Microsoft Entra roles and Azure resource roles effectively. You should minimize Owner and User Access Administrator assignments attached to each subscription or resource and remove unnecessary assignments.

As a Global Administrator, you can elevate access to manage all Azure subscriptions. This allows you to identify the management groups, subscriptions, resource groups, and resources that are most vital for your organization. Consider using management groups to organize all their resources within their organization.

To implement PIM, follow these key steps:

You should also work with Subscription owners to document resources managed by each subscription and classify the risk level of each resource if compromised. This helps prioritize managing resources with PIM based on risk level.

Implementing PIM for Microsoft Entra involves several key steps. You can start by planning and implementing PIM for Microsoft Entra roles.

To manage Microsoft Entra roles in PIM, only a user in the Privileged Role Administrator or Global Administrator role can make assignments for other administrators. These roles, along with Global Readers and Security Readers, can also view assignments to Microsoft Entra roles in PIM.

To assign and activate Microsoft Entra roles, follow these tasks: give eligible assignments and allow eligible users to activate their Microsoft Entra role just-in-time.

Here are the specific roles that can view assignments in PIM: Privileged Role Administrator, Global Administrator, Global Readers, and Security Readers.

To extend or renew a role, use PIM when the role nears its expiration. Both user-initiated actions require approval from a Global Administrator or Privileged Role Administrator.

To set up email notifications and weekly digest emails, configure the notification settings in PIM. These emails will include links to relevant tasks, such as activating or renewing a role.

You can also perform these PIM tasks using the Microsoft Graph APIs for Microsoft Entra roles.

To create a security group in Microsoft Entra ID for elevated permissions, follow these steps: browse to the Microsoft Entra Admin Center, navigate to Microsoft Entra ID > Groups > New Group, and name your group.

Implementing PIM for Resource Management is a crucial step in securing your Azure resources. You should start by identifying the management groups, subscriptions, resource groups, and resources that are most vital for your organization.

To minimize Owner and User Access Administrator assignments, work with Global Administrators to elevate access and remove unnecessary assignments within subscriptions. Access reviews for Azure resources can also help audit and remove unnecessary role assignments.

To prioritize resource management, work with Subscription owners to document resources managed by each subscription and classify the risk level of each resource if compromised. This will help you manage resources with PIM based on risk level.

Here are some key settings to consider when implementing PIM for resources:

Remember to consider scoping PIM settings further down into resources within the subscription, such as resource groups, storage accounts, and key vaults.

Configuring settings for Privileged Identity Management (PIM) in Azure is a crucial step in managing access to sensitive resources. The first step is to draft and configure your PIM settings for every privileged role that your organization uses.

To configure PIM settings for Microsoft Entra roles, you'll need to decide on settings such as Require MFA, Require Conditional Access, and Notification. For example, the Global Administrator role may require MFA and Conditional Access, while the Helpdesk Admin role may not.

Here's a table showing example settings for Microsoft Entra roles:

For Azure Resource roles, you'll need to configure settings such as Require MFA, Notification, and Require approval. For example, the Owner of critical subscriptions role may require MFA and approval.

Here's a table showing example settings for Azure Resource roles:

When configuring roles in PIM, you'll need to consider settings such as Maximum activation duration, Notifications, Multi-factor authentication, and Selected approver. For example, the Global Administrator role may have a maximum activation duration of 1 hour, while the Helpdesk Admin role may not require Multi-factor authentication.