Azure Privilege Identity Management  

Posted byIdan NaftaliPosted inUncategorized

שלום לכולם ,

היום נדבר על Azure Privilege Identity Management  או בשמו הקצר Azure PIM .

PIM  מאפשר לנו להקצות תפקידי ניהול לזמן מוגבל , לרוב יהיה שימושי עבור אנשי HD  שצריכים לבצע שינוי שקשור בניהול Exchange , Intune  וכו’ .

עובד בתצורת Just-In-Time (JIT)  עבור אפליקציות Office365 + Azure AD  וגם על אפליקציות SaaS .

הממשק מאפשר  למשתמש ליצור בקשה ולאשר תהליך טכני במגבלת זמן מסוימת , לדוגמה : הרשאות כניסה לפורטל Microsoft Endpoint Management (Intune) והקצאת תחנת עבודה עבור משתמש .

PIM  מספק את הדברים הבאים :

  • Provide just-in-time privileged access to Azure AD and Azure resources
  • Assign time-bound access to resources using start and end dates
  • Require approval to activate privileged roles
  • Enforce multi-factor authentication to activate any role
  • Use justification to understand why users activate
  • Get notifications when privileged roles are activated
  • Conduct access reviews to ensure users still need roles
  • Download audit history for internal or external audit

ניתן להקצות תפקידים מסוימים מתוך Office365\Azure AD Portal  עבור משתמשים והפעלת אותו תפקיד לפרק זמן מסוים .

הגישות מתחלקות למס’ סוגים :

Term or concept Role assignment category Description
eligible Type A role assignment that requires a user to perform one or more actions to use the role. If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks. There’s no difference in the access given to someone with a permanent versus an eligible role assignment. The only difference is that some people don’t need that access all the time. – דורש מהמשתמש פעולות מסוימות על מנת להשתמש באותו תפקיד  ויכולים להפעיל אותו ברגע שהם צריכים לבצע משימה .
active Type A role assignment that doesn’t require a user to perform any action to use the role. Users assigned as active have the privileges assigned to the role.- משתמש אשר מוקצה עם תפקיד מראש
activate The process of performing one or more actions to use a role that a user is eligible for. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers. –  הפעלת אותה משימה המצריכה אישור עבור אותו משתמש פעולות שכוללות בין היתר חיבור

MFA  .
assigned State A user that has an active role assignment. –  הקצאת תפקיד
activated State A user that has an eligible role assignment, performed the actions to activate the role, and is now active. Once activated, the user can use the role for a preconfigured period-of-time before they need to activate again. - ברגע שאותו תפקיד מופעל ניתן לבצע פעולות אדמין במערכות
permanent eligible Duration A role assignment where a user is always eligible to activate the role. - תפקיד שאותו משתמש יכול להפעיל
permanent active Duration A role assignment where a user can always use the role without performing any actions. - תפקיד קבוע למשתמש
expire eligible Duration A role assignment where a user is eligible to activate the role within a specified start and end date. - תפקיד עם מגבלת זמן לפי תאריך התחלה ותאריך סיום
expire active Duration A role assignment where a user can use the role without performing any actions within a specified start and end date. -  תפקיד שמוקצה למשתמש שיכול לבצע פעולות ללא צורך בתאריך התחלה או תאריך סיום
just-in-time (JIT) access A model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. - בעיקר נבצע עם תפקיד זה שיוקצה זמנית לטובת משימות ניהוליות
principle of least privilege access A recommended security practice in which every user is provided with only the minimum privileges needed to accomplish the tasks they are authorized to perform. This practice minimizes the number of Global Administrators and instead uses specific administrator roles for certain scenarios.

 :License requirements

Azure AD Premium P2

Enterprise Mobility + Security (EMS) E5

Microsoft 365 M5

למידע נוסף ראו כאן

First person to use PIM

If you’re the first person to use Privileged Identity Management in your directory, you are automatically assigned the Security Administrator and Privileged Role Administrator roles in the directory. Only privileged role administrators can manage Azure AD role assignments of users. In addition, you may choose to run the security wizard that walks you through the initial discovery and assignment experience.

Enable PIM

To start using Privileged Identity Management in your directory, you must first enable Privileged Identity Management.

  1. Sign in to the Azure portal as a Global Administrator of your directory.

    You must be a Global Administrator with an organizational account (for example, @yourdomain.com), not a Microsoft account (for example, @outlook.com), to enable Privileged Identity Management for a directory.

  2. Click All services and find the Azure AD Privileged Identity Management service.

    Azure AD Privileged Identity Management in All services

  3. Click to open the Privileged Identity Management Quickstart.
  4. In the list, click Consent to PIM.

    Consent to Privileged Identity Management to enable Privileged Identity Management

  5. Click Verify my identity to verify your identity with Azure MFA. You’ll be asked to pick an account.

    Pick an account window to verify your identity

  6. If more information is required for verification, you’ll be guided through the process. For more information, see Get help with two-step verification.

    More information required window if your organization needs more information

    For example, you might be asked to provide phone verification.

    Additional security verification page asking how to contact you

  7. Once you have completed the verification process, click the Consent button.
  8. In the message that appears, click Yes to consent to the Privileged Identity Management service.

    Consent to Privileged Identity Management message to complete consent process

Sign up PIM for Azure AD roles

Once you have enabled Privileged Identity Management for your directory, you’ll need to sign up Privileged Identity Management to manage Azure AD roles.

  1. Open Azure AD Privileged Identity Management.
  2. Click Azure AD roles.

    Sign up Privileged Identity Management for Azure AD roles

  3. Click Sign up.
  4. In the message that appears, click Yes to sign up Privileged Identity Management to manage Azure AD roles.

    Sign up Privileged Identity Management for Azure AD roles message

    When sign up completes, the Azure AD options will be enabled. You might need to refresh the portal.

    For information about how to discover and select the Azure resources to protect with Privileged Identity Management, see Discover Azure resources to manage in Privileged Identity Management.

למידע נוסף לחצו  כאן

מסמך Best Practice  בעבודה עם Azure PIM :  https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-admin-roles-secure

Leave a comment

Design a site like this with WordPress.com
Get started