Just-In-Time elevated access – Managing User Authorization

by Paulette Dukrs Posted on

As discussed, with PIM, rather than assigning roles to users that are always active, you instead make users eligible to use a role. Users then activate the roles as required.
Important note
This is not the same as just-in-time virtual machine access, which allows access to virtual machines on a per request basis by opening firewalls as required.
For the following walk-through, that demonstrates using just-in-time elevated access, I have created a user called ITManager, which I will use to demonstrate the process. You also need a P1 or P2 license and PIM activated.
Assigning an eligible role

  1. Navigate to the Azure portal by opening https://portal.azure.com.
  2. Select or search for Azure Active Directory.
  3. In the left-hand menu, click Roles and administrators.
  4. Select the role you wish to assign, for example, User administrator.
  5. On the left-hand menu, click Role Settings.
  6. Click Edit at the top.
  7. Set the activation settings, such as changing the duration to 1 hour and tick Require approval to activate, then add your admin user as an approver. See Figure 4.9, for example:

Figure 4.9 – Example activation settings

  1. Click Update.
  2. You will be taken back to the Role list; select the User administrator role again.
  3. From the horizontal menu, click Add assignment.
  4. Under Select members, click the No member selected link.
  5. In the Select a member box that appears, find and select the user you want to assign the role to and click Select
  6. Click Next.
  7. Under Assignment type ensure Eligible is selected.
  8. Optionally, untick Permanently eligible and set a date range such as 1 year to limit the period the user has the assignment.
  9. Click Assign.
  10. You will be taken back to the User administrator | Assignments window, click Eligible assignments on the horizontal menu, and confirm the user is now listed. See Figure 4.10, for example:

Figure 4.10 – PIM eligible users
Activating eligible roles
When a user wants to use an eligible role, they must first activate it. The options you set in the previous walk-through will determine whether or not the role is automatically activated on request or whether it needs to be approved. In our example, we set the requirement for an approver:

  1. In another browser, or in a private window, log in to the Azure portal by opening https://portal.azure.com as the assigned user.
  2. Search for then select Privileged Identity Management or PIM.
  3. From the left-hand menu, click Users.
  4. Select a user.
  5. Note that the options are grayed out. (Reset Password isn’t, but if you click it, you will receive an error.)
  6. In the resource search bar, search for PIM and select Privileged Identity Management.
  7. Click My Roles.
  8. Click Eligible assignments.
  9. Click Activate by the User Administrator role:

Figure 4.11 – Eligible assignments

  1. In the dialog that appears, enter a duration for the role activation and justification as in the following figure:

Figure 4.12 – Role activation request

  1. The request will now be sent to the approver.
    Once a role has been requested, the approver will receive an email containing a link to approve or reject it. Alternatively, this can be performed in the portal, as we shall see next.

Leave a Reply

Your email address will not be published. Required fields are marked *

Proudly powered by Williamshand | Theme: Designed by William.