How To Use PIM in Microsoft Azure to Improve Security

Privileged Identity Management (PIM) is a security solution in Microsoft Azure that helps organizations manage and control access to privileged accounts and resources. PIM can help organizations reduce the risk of unauthorized access to sensitive data and systems and comply with security regulations. PIM is covered in Accelebrate's live, instructor-led official Microsoft course Microsoft Identity and Access Administrator (SC-300).

This tutorial by experienced Microsoft Azure trainer with deep knowledge of Microsoft security, Garret Jennings, guides you through how to use PIM to manage Azure roles. You will learn how to:

• Discover Azure resources
• Manage Azure resources
• Assign Azure roles
• View and manage eligible and active assignments

Audience

This tutorial is intended for Azure administrators who are responsible for managing privileged access to Azure resources.

Prerequisites

To complete this tutorial, you will need:

• An Azure account with the Global administrator role
• Access to the Azure portal

Let's get started!

1. Sign in to https://portal.azure.com using a Global administrator account: A Global Admin's role in managing PIM is to ensure that the process of granting and revoking privileged access is secure, well-structured, and compliant with organizational policies and requirements.
   
   
   
   
2. Sign in to Search for PIM and then select "Microsoft Entra Privileged Identity Management." PIM provides a unified approach to managing both Entra ID roles and Azure roles by implementing just-in-time access, approval workflows, and time-bound access. This approach reduces the risk of prolonged access to sensitive resources and helps organizations meet security and compliance requirements.
   
   
   
   
   
3. On the left menu, select "Azure resources" and then select "Discover resources" from the middle pane. Privileged Identity Management (PIM) in Microsoft Azure provides the capability to manage Azure roles, allowing organizations to control and monitor access to Azure resources more securely.
   
   
   
   
   
4. Select your Azure subscription and then select "Manage resource" and "OK." Privileged Identity Management (PIM) in Microsoft Azure provides the capability to manage Azure roles, allowing organizations to control and monitor access to Azure resources more securely.
   
   
   
   
5. Navigate back to the PIM initial menu, select "Azure resources," select your subscription and then select "Roles under the 'Manage' menu." Privileged Identity Management (PIM) in Microsoft Azure provides a comprehensive way to control access to Azure roles, enhancing security and governance over Azure resources.
   
   
   
   
   
6. On the top menu select "Add assignments," select a role such as "Virtual Machine Contributor" and then select "No member selected." Privileged Identity Management (PIM) in Microsoft Azure provides control over both built-in and custom Azure roles, allowing organizations to manage access to Azure resources more securely.
   
   
7. Select a user to assign the role to, select "Next." On the "Setting" tab, under "Assignment type" select "Eligible," leave the default duration dates and select "Assign." Eligible assignments in PIM involve members taking specific actions to gain temporary access, while active assignments provide continuous access to role privileges without any additional actions required. These assignment types allow organizations to balance the need for both controlled, time-bound access and uninterrupted, permanent access to privileged roles.
   
   
   
   
   
8. Navigate back to the PIM initial menu, select "Azure resources," select your subscription, and then select "Assignments" under the "Manage" menu. With Privileged Identity Management (PIM) in Microsoft Azure, when a user is designated as eligible for a specific role, they can activate that role when they need it.
   
   
   
   
   
9. Under "Eligible assignments" you should see the user to which you assigned the "Virtual Machine Contributor" role. Select the "Update" option for that user. Observe the options, but then close that window and "Remove" the assignment. In Privileged Identity Management (PIM) for Azure roles, eligibility is set with a maximum duration of one year. This means that when users are designated as eligible for specific Azure roles, their eligibility has a predefined maximum duration of one year before it needs to be renewed or reevaluated.
   
   
   

This same process can be used to control access to the Entra ID roles.

There are several benefits to using PIM to manage Azure roles, including:

• Improved security: PIM helps to reduce the risk of unauthorized access to Azure resources by implementing just-in-time access, approval workflows, and time-bound access.
• Enhanced compliance: PIM helps organizations to meet security and compliance requirements by providing a centralized view of all Azure roles and assignments.
• Reduced risk: PIM helps to reduce the risk of human error by automating the process of granting and revoking access to Azure resources.

Contact Accelebrate for private, online Microsoft Security Training for your team of 3 or more attendees. We also offer many other Microsoft Official Courses.

Garrett Jennings is a highly experienced Technical Instructor and Consultant with over 25 years of expertise in Azure and AWS technologies. He has also excelled in providing training and consultancy services for various security technologies. Garrett holds a Bachelor of Science in General Engineering with a minor in Bioengineering from the University of Illinois. Throughout his career, he has been involved in consulting, training, project management, and implementation of Microsoft and Amazon products and services. He possesses an extensive range of certifications, including Microsoft Azure, Microsoft 365, AWS, MCSE, MCT, CheckPoint, Juniper, Comptia Sec+, ISC2 CCSP, among others.