![]() ![]() Elevated access workflowĮlevated access includes job roles that need greater access, including support, resource administrators, resource owners, service administrators, and global administrators. We can also monitor access, audit account elevations, and receive additional alerts through a management dashboard in the Azure portal. Azure AD PIMīy configuring Azure AD PIM to manage our elevated access roles in Azure AD, we now have JIT access for more than 28 configurable privileged roles. We also set shorter access durations through JIT access. After the request is approved, we can require tighter controls, including multifactor authentication or physical credential, like smart cards. The employee request process requires multiple levels of approvals. At the front end of the process, the review board spends more time evaluating requests for more privileged roles. Typically, the more elevated access a privileged role has, the more rigorously we protect it. If anyone else tries to assign a role, it is automatically flagged as a violation of role-assignment policy. We monitor unauthorized assignment of roles, and the addition of users who are not authorized to be assigned to roles. At Microsoft, the only people who are authorized to assign others to roles are Privileged Role Administrators. We’ve adopted the strategy of reducing risks by giving employees just enough access to the resources that they need, for only as long as they need it. We rationalize incoming requests for elevated access, but we can’t necessarily reduce the number of people that require it to do their jobs. There are a couple of obvious ways we can look at reducing the risks, or attack surface, of elevated access-by reducing the number of accounts or the duration that an account has elevated access. ![]() Privileged Identity Management focuses on the tools and processes we use for a subset of users that have administrative-or elevated-access to on-premises and cloud-hosted data and services at Microsoft. We regularly add more roles that require elevated access, so we’ve seen the number of managed users grow slowly but consistently. Since then, we have reduced the number of users who are candidates for global administrator by 83 percent, and removed all persistent users (except for a break-glass account) from the global-administrator role. When we started using PIM, we did an attestation to reduce the number of individual users who might need individual assignments. Of the roughly 285,000 identities that we currently manage at Microsoft, there are approximately 10,000 on-premises accounts and 400 Azure AD accounts of users who require elevated access to data and services. Identity management at Microsoft encompasses all process and tools used to manage the lifecycle of all identities for all our corporate employees. We configured Azure AD PIM, available with the Premium P2 edition of Azure AD, to help us manage and monitor our Azure AD administrative roles through the Azure portal. Both Azure Active Directory administrative roles as well as Azure administrative roles can be assigned and remain inactive until needed. Recent changes introduced in Azure AD PIM have enabled a cloud-based, JIT tool for Azure Active Directory administrative roles as well as Azure administrative roles. Before the release of Azure AD PIM, our Azure Active Directory administrative roles had persistent elevated access, monitoring was limited, and we didn’t have a fully managed lifecycle.Īzure Active Directory uses administrative roles to control access to various features within the tenant. Microsoft doesn’t allow persistent elevated access, so we use the Azure Active Directory (Azure AD) Privileged Identity Management (PIM) feature of just-in-time role activation (JIT) to temporarily elevate the role-based access as needed for a defined time. We wanted to better manage privileged identities and monitor elevated access for cloud resources. At Microsoft Digital, we knew that we needed to manage any potential risks that elevated access can introduce, such as “pass the hash” or credential theft. Throughout Microsoft, there are employees who require elevated access to Microsoft Online Services, Microsoft Azure, and on-premises services that they own, manage, or support. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |