Secure Azure Infra – 7.1: Enable and Configure PIM

With Azure Active Directory (AD) Privileged Identity Management (PIM), you can manage, control, and monitor access within your organization. Organisations want to minimise the number of people who have access to secure information or resources, as that reduces the chance of a malicious user gaining access, or an authorised user inadvertently impacting a sensitive resource.

7.1: Enable and Configure PIM

In this exercise we will enable PIM for the tenant and then change a user (Isaiah Langer) from a 24/7 Global Administrator to an eligible user where they must respond to an MFA challenge to become a Global Administrator for 4 hours. We’ll also view the audit log for PIM.

1) Log into Azure Portal as the ‘admin’ user.

2) In the left navigation, click All Services >, type priv, then select Azure AD Privileged Identity Management, as shown in Figure 18.

Selecting PIM

Figure 18: Selecting Privileged Identity Management

3) Under MANAGE, click Azure AD Directory Roles.

4) Click Verify my identity.

5) Follow the prompts to set up and verify using Multi-Factor Authentication (MFA) using phone verification.

6) On the Azure AD Directory Roles – Sign up PIM for Azure AD Directory Roles blade, click Sign Up, then click Yes, as shown in Figure 19.

PIM Signup

Figure 19: Privileged Identity Management – Signing Up

7) Click Admin view.

8) View “Notification and Directory Roles”.

9) Under Directory Roles, click the Global Administrator role.

10) In the Global Administrator blade, click on “Isaiah Langer”.

11) On the right, click Make Eligible, as shown in Figure 20.

PIM Eligibility

Figure 20: PIM User Eligibility

12) In the main Azure AD directory roles page, Under MANAGE, click Settings.

13) Click Roles, then click Global Administrator.

14) Move the Maximum Activation duration slider to the left, to 4 hours.

15) Set email Notifications to Enable, as shown in Figure 21.

PIM Role

Figure 21: PIM – Role Settings

16) Click Save.

17) Verify this change, click Azure Active Directory >Users > All users > Isaiah Langer > Directory role, Isaiah is now a user and no longer a Global Administrator.

About engsoon

Eng Soon is a 4-time Microsoft MVP and has nearly 5 years of experience building enterprise system in the cloud.He is also a Certified Microsoft Azure.Eng Soon also have strong technical skills and analytic skill. As a developer, Besides the development task, he also involved in Project Management, Consulting, and Marketing. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive. He also took part as speaker in many nationwide technical events, such as Conference, Meetup and Workshop. Currently, looking for opportunity in Cyber Security which include Cloud Security and Application Security.

View all posts by engsoon →

Leave a Reply

Your email address will not be published. Required fields are marked *