Azure servicesMicrosoft Technologies

Step-by-Step guide to Azure AD privileged identity management – part 2

In my previous post on this series I have explain about azure AD privileged identity management including its features and how to get it enabled. If you not read it yet you can find it using this link.

in this post I am going to show you more of its features and capabilities.

How to manage privileged roles?

The main point of the identity management is that administrators will have the required privileges when they needed. In part 1 of the post billing administrators and service administrator roles were eligible for the Azure AD privileged Identity management. So it will remove its permanent permissions which is assigned to role.

So if you still need to make one of the account permanent administrator let’s see how we can do it.

Log in to the azure portal as global administrator (it should be associated with relevant AD instance)

Open the Azure AD privileged identity management from portal

idm2-1

Then click on managed privileged roles

idm2-2

In next page it will list down the summary of the roles. Let’s assume we need to make one of the billing administrators “permanent”. To do that click on billing administrators

idm2-3

It will list down the users which is eligible for the role and click on the account you need to make permanent.

idm2-4

Then click on more in next page and click on option make perm

idm2-5

Once completed its shows as permanent

idm2-6

Same way we can add an administrator to the roles. To do it go to roles, if you need to add new role it can do too. Click on roles on the manage privileges roles page

Azure AD privileged identity management portal

Then click on add

idm2-11roles

Then from roles click on the role you going to add

idm2-12roles

Then under the select users, select the user using search and click on done

idm2-13roles

How to activate roles by using Azure AD privileged identity management?

Now we have the roles but how we can use them with time bound activation (Just in time administration)

Go to the role page again like in previous page. In my demo I am going to use service administrator role

Then click on settings

idm2-7

In next window we can see that option to define the time. Also we can enable notifications so email notification will send to admin in event of role activation. Also option to request ticket or incident number. This is important to justify the privileged access. Also can use the multifactor authentication in activation to make sure the request is legitimate.

idm2-8

idm2-9

Once you satisfied with settings, click on save to apply.

Then for the testing I logged in as the security administrator to the azure portal.

idm2-14

Then go to the privileged identity management page.

Click on the service administrator 

idm2-15

Then click on the activate button, to activate the role

idm2-16

According to the settings its asking for ticket number for activation. Once put the information click on ok

idm2-17

Perfect, now its saying when it expires and it also shows the that roles been activated

idm2-18

Now I change the login and logged back as global administrator.

Then if go to privileged management page and click on audit history you can see all the events.

idm2-19

idm2-20

Hope now you have better understanding about Azure AD privileged identity management, If you have any questions feel free to contact me on rebeladm@live.com

PS : This is now replaced with Entra ID Privileged Access Management. But the concept is still remaining the same. We can see certain number of changes on modern privileged identity management solution. especially from the GUI side its more improved and more practical. Also new features are implemented. More info about it can be find in https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Process Entra ID Entitlement Management Access Package on-behalf of another user (preview)

Entra ID Entitlement Management access packages enable administrators to offer a self-service…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes

The Entra ID lifecycle workflow is a feature of Microsoft Entra ID identity governance and Microsoft…
Read more
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: How to setup Entra ID Restricted management Administrative Units ?

In my previous blog post, I discussed what Entra ID Administrative Units are and how they can be…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *