With Azure Active Directory (AD) Privileged Identity Management (PIM), you can manage, control, and monitor access within your organization. Organisations want to minimise the number of people who have access to secure information or resources, as that reduces the chance of a malicious user gaining access, or an authorised user inadvertently impacting a sensitive resource.
In this exercise we will enable PIM for the tenant and then change a user (Isaiah Langer) from a 24/7 Global Administrator to an eligible user where they must respond to an MFA challenge to become a Global Administrator for 4 hours. We’ll also view the audit log for PIM.
1) Log into Azure Portal as the ‘admin’ user.
2) In the left navigation, click All Services >, type priv, then select Azure AD Privileged Identity Management, as shown in Figure 18.
Figure 18: Selecting Privileged Identity Management
3) Under MANAGE, click Azure AD Directory Roles.
4) Click Verify my identity.
5) Follow the prompts to set up and verify using Multi-Factor Authentication (MFA) using phone verification.
6) On the Azure AD Directory Roles – Sign up PIM for Azure AD Directory Roles blade, click Sign Up, then click Yes, as shown in Figure 19.
Figure 19: Privileged Identity Management – Signing Up
7) Click Admin view.
8) View “Notification and Directory Roles”.
9) Under Directory Roles, click the Global Administrator role.
10) In the Global Administrator blade, click on “Isaiah Langer”.
11) On the right, click Make Eligible, as shown in Figure 20.
Figure 20: PIM User Eligibility
12) In the main Azure AD directory roles page, Under MANAGE, click Settings.
13) Click Roles, then click Global Administrator.
14) Move the Maximum Activation duration slider to the left, to 4 hours.
15) Set email Notifications to Enable, as shown in Figure 21.
Figure 21: PIM – Role Settings
16) Click Save.
17) Verify this change, click Azure Active Directory >Users > All users > Isaiah Langer > Directory role, Isaiah is now a user and no longer a Global Administrator.