Securing Azure with Principle of Least Privilege and Azure PIM

Secure your Azure environment with the power of the Principle of Least Privilege and Azure Privileged Identity Management (PIM). This blog post delves into the importance of the principle of least privilege (POLP) and how combining it with Azure PIM enhances the security of your resources.

Discover the Importance of Principle of Least Privilege

The principle of least privilege is essential for safeguarding sensitive information and minimizing security breaches by granting only the minimum required privileges to users. By implementing this principle, organizations can lower the chance of accidental or malicious misuse of sensitive information and minimize potential damage in case of a security breach. Moreover, implementing POLP enhances overall security posture, streamlines administration, and clarifies user responsibilities and capabilities.

Experience the Benefits of Azure Privileged Identity Management

By utilizing Azure PIM with the principle of least privilege, organizations can ensure secure access to sensitive resources in Microsoft Azure. Azure PIM implements POLP by controlling user privilege elevation and limiting it to the minimum necessary to perform job functions, reducing the risk of security breaches and unauthorized access to sensitive resources. Additionally, Azure PIM offers centralized management, clear accountability for sensitive resource access, and auditing and reporting capabilities to detect and prevent privileged access abuse.

Ready to strengthen your security posture and protect your Azure environment? Read on to learn how to set up Azure PIM and the principle of least privilege for optimal results.

Scenario

In this scenario, we have John, a senior helpdesk administrator. Typically, John is able to perform his job duties with the helpdesk administrator role. However, in some instances, he requires Global Administrator rights. As he does not need these rights regularly, he does not have standard global administrator privileges. We are now setting up Azure PIM so John can request the necessary permissions himself, as they are eligible for him.

Azure AD Premium P2 license is required to use Azure PIM

1. Open https://portal.azure.com
2. Open Azure AD Privileged Identity Management
   
   You are now in the Azure PIM dashboard, the centralized management system for securing access to your Azure resources. On the left-side menu, you can manage and configure various aspects of your Azure PIM implementation, including roles, requests, configurations, and granting/revoking access.
3. Go on the left-side under Manage to Azure AD roles
4. Select the Global Administrator role, click Add assignments and select the relevant user. In my case, John Doe
   
5. The following screen displays various options for role assignment and eligibility. You can assign a role on a permanent or temporary basis. In this instance, John is permanently eligible for the role. Click Assign.
   
6. As you can see, John Doe is now eligible for the Global Administrator role. Please click on the Role Settings on the left-side of the screen.
   
7. Under Role Settings, you’ll find various options for managing assigned permissions. You can set the duration for which the rights are granted and they will automatically be revoked after that. You can also gather additional information for logging, such as a ticket number, and determine if approval is needed or if it’s an automatic process. You can also set up notifications for specific users when the role is requested. In this case, I am only changing the Require Ticket Information on Activation setting to Yes.
   

How does it work?

Let’s now test it out. Open a new incognito window, log in as John Doe on https://portal.azure.com and open Azure AD Privileged Identity Management

1. Choose on the left-side for My Roles and click on the right-side for Activate
   
2. As you can see, additional verification is required. John needs to identify himself with Multi Factor Authentication (MFA)
   
3. After approving MFA. John is able to fill in the form to activate the permissions.
   
4. The Global Administrator role is now activated
   
   

Update: Microsoft has recently made the exciting announcement that Privileged Identity Management can now be extended to groups as well. My colleague Mark Swinkels has shared his insights on this development in a recent blog post. Click here to read it.

Monitoring

Now let’s take a look at monitoring and logging.

1. Navigate to the left-side of the screen in Azure AD Privileged Identity Management for Audit History
   
2. Here, you can find John’s request along with the reason why he needs the permissions and when they will expire.
   

Thank you for taking the time to read my blog. Kindly share it with others if you find it helpful!