Exploring Microsoft Entra ID Privileged Identity Management (PIM) Part-2/3 (Azure resources)

Introduction

Welcome back to our series on Microsoft Entra ID Privileged Identity Management (PIM). In Part 1, we discussed how PIM enhances security for Entra roles. In this second installment, we'll focus on managing Azure resource roles using PIM to bolster your organization's security posture.

Overview of Azure Resource Roles in PIM

Azure resource roles are integral to Azure's Role-Based Access Control (RBAC) system, allowing granular access management for subscriptions, resource groups, and individual resources. In PIM, management of these roles is restricted to subscription administrators, resource owners, or users with the User Access Administrator role. Roles like Privileged Role Administrator or Security Administrator don't have default access to Azure resource roles in PIM.

Planning and Implementing PIM for Azure Resource Roles

Discovering and Mitigating Privileged Roles

• Audit Existing Roles: Start by identifying all users with high-privilege roles across your Azure subscriptions. Tools like Entra ID (Azure AD) can help list all current assignments.
• Minimize Over-Privileged Accounts: Reduce the number of users assigned as Owners or User Access Administrators. For instance, if multiple developers have Owner roles on a subscription, consider downgrading them to Contributor roles unless ownership privileges are essential.
• Elevate Access for Global Administrators: As a Global Administrator, you can elevate your access to manage all Azure subscriptions. This elevation is crucial for performing organization-wide audits and implementing PIM.

When you elevate your access, you will be assigned the User Access Administrator role in Azure at root scope (/). This allows you to view all resources and assign access in any subscription or management group in the directory. User Access Administrator role assignments can be removed using Azure PowerShell, Azure CLI, or the REST API.

To read more about Azure Elevated Access

• Use Access Reviews: Implement regular access reviews to ensure that role assignments remain appropriate over time. Access reviews can automatically notify reviewers and remove access when necessary.

Determining Roles to Manage with PIM

• Identify Critical Resources: Focus on subscriptions and resources that host critical applications or sensitive data. For example, a subscription running production databases should be prioritized over a development environment.
• Use Management Groups: Organize your subscriptions into management groups to apply policies and manage access efficiently. For example, create a management group for all production subscriptions and another for development.
• Prioritize High-Risk Roles: Roles like Subscription Owner and User Access Administrator have broad permissions. Ensure these roles are managed through PIM to require just-in-time activation and approval workflows.
• Collaborate with Subscription Owners: Work with resource owners to document the resources under their control and assess the impact if compromised. This collaboration helps in classifying resources based on risk.
• Implement PIM Workflows: For sensitive resources, set up PIM workflows that require approval for role activation. For instance, activating the Owner role on a production subscription could require multi-factor authentication and manager approval.

Assigning and Activating Azure Resource Roles

To manage Azure resource roles in PIM:

        1.Assign Eligible Roles:

• Only Owners or User Access Administrators can assign eligible roles.
• Use the Azure portal to navigate to PIM and assign roles with eligibility criteria, such as time-bound assignments.    

         2.Enable Just-In-Time Activation:

• Configure roles so that users must activate them when needed.
• Set up activation requirements like justification, multi-factor authentication, or approval workflows.

        3.Manage Role Expirations:

• Monitor role assignments nearing expiration using PIM's notifications.
• Extend or renew roles through PIM, ensuring that approvals are documented.

Real-World Example:

Contoso Ltd., a global manufacturing company, had multiple engineers with permanent Owner roles on their production subscriptions. After implementing PIM, they reduced permanent Owners to just two administrators and made others eligible for the Owner role. Now, when an engineer needs elevated access, they activate the role through PIM, providing justification and triggering an approval workflow. This change significantly reduced the risk of unauthorized changes to critical resources.

Monitoring and Alerting in PIM

PIM offers robust monitoring features to keep you informed about activities and potential risks associated with Azure resource roles.

Understanding PIM Alerts

PIM generates alerts for various activities:

• Too Many Owners Assigned to a Resource:
• Severity: Medium
• Trigger: An excessive number of users have the Owner role.
• Recommendation: Review and reassign some users to less privileged roles.
• Too Many Permanent Owners Assigned:
• Severity: Medium
• Trigger: Users are permanently assigned to high-privilege roles.
• Recommendation: Convert permanent assignments to eligible assignments requiring activation.
• Duplicate Roles Created:
• Severity: Medium
• Trigger: Multiple roles have identical criteria.
• Recommendation: Consolidate roles to simplify management.
• Roles Assigned Outside of PIM:
• Severity: High
• Trigger: Roles are assigned directly through Azure IAM or the Azure Resource Manager API, bypassing PIM.
• Recommendation: Review and remove these assignments, enforcing role management through PIM.

Real-World Example:

At Fabrikam Inc., security teams received a high-severity alert indicating that roles were being assigned outside of PIM. Investigation revealed that a developer had assigned the Contributor role directly to a service account via the Azure portal. The security team removed the direct assignment and configured PIM to manage that role, enforcing activation policies and logging for compliance.

Severity Levels Explained

• High Severity: Requires immediate action due to policy violations (e.g., roles assigned outside of PIM).
• Medium Severity: Signals potential policy issues but doesn't require immediate action.
• Low Severity: Suggests preferred policy changes without immediate urgency.

Note: For the alert regarding roles assigned outside of PIM, you might encounter duplicate notifications due to system incidents.

Real-World Examples of PIM Implementation

Example 1: Securing Access to Financial Data

Apex Bank needed to secure access to their financial databases hosted in Azure. They identified that several database administrators had permanent Owner roles on the subscription. By implementing PIM:

• They reduced permanent Owners to the minimum required.
• Configured PIM to require multi-factor authentication and approval from a security officer for role activation.
• Set up access reviews every three months.

As a result, unauthorized access attempts were mitigated, and audit logs provided clear records of who accessed sensitive data and when.

Example 2: Managing Developer Access in DevOps

GlobalTech Solutions has a large DevOps team that frequently needs elevated access to deploy applications. Initially, all developers had Contributor roles on the production resource group.

With PIM:

• Developers were assigned eligible Contributor roles.
• Activation required justification but didn't need approval to streamline the deployment process.
• Activity logs allowed the security team to monitor activations and actions taken during elevated sessions.

This approach balanced the need for agility in deployment with enhanced security controls.

Example 3: Responding to a Security Incident

Innovate Corp. experienced a security incident where an external actor gained access to a compromised account with high privileges. Post-incident, they implemented PIM to:

• Enforce just-in-time access for all high-privilege roles.
• Require approval from managers for activating critical roles.
• Integrate PIM alerts with their Security Information and Event Management (SIEM) system for real-time monitoring.

These changes improved their security posture and helped prevent similar incidents in the future.

Implementing PIM for Azure Resources

PIM now supports automatic management of Azure resources within a tenant, eliminating the need for manual onboarding. The enhanced user interface leverages the latest PIM ARM API, providing improved performance and finer control when selecting the appropriate scope for management.

You can search for and select management group or subscription resources to manage in Privileged Identity Management. When you manage a management group or a subscription in Privileged Identity Management, you can also manage its child resources.

The screenshot below illustrates the selection at the Management Group level.

Note: You can view and manage management groups or subscriptions where you have Microsoft.Authorization/roleAssignments/write permissions, such as roles like User Access Administrator or Owner. If you're a Global Administrator but not a subscription owner and don't see any Azure subscriptions or management groups to manage, you can elevate your access to manage these resources, as previously discussed.

In our testing, no subscription is assigned at the Management Group level, as our subscription is kept at the Tenant Root level. Therefore, we will configure PIM at the subscription level to grant a user Contributor access to the subscription.

Below Screenshot shows the current selection:

After selecting "Manage resource," you will be directed to the PIM Overview tab for the chosen Azure resource (in our case, an Azure subscription).

In the Overview tab under the Admin view, you can see:

• Role activations in the last 7 days
• Role assignment distribution
• PIM activities over the last 30 days
• Roles by assignment (in descending order)

In the My view section, the dashboard is limited to your current login, showing:

• My role activations in the last 7 days
• Activities
• Eligible role assignments
• Active role assignments

Admin View

My View

In the My Roles section, you can view your current Azure resource access assignments categorized as Eligible, Active, or Expired.

Navigate to the Roles section, where you can assign users or groups to Azure resource role assignments.

Once Role is selected Add the required User/Group to the Assignments.

Choose Next to Configure the Role Assignment settings

Choose the assignment type, as well as the start and end date. In our case, we selected the "Eligible" assignment type and set the assignment to end after 7 days. Assigned the Role.

Note: Attribute-based access control (ABAC) is an authorization system that determines access based on attributes tied to security principals, resources, and the environment of an access request. With ABAC, you can grant a security principal access to a resource using specific attributes. Azure ABAC refers to the application of ABAC within Azure. You can leverage Azure attribute-based access control (Azure ABAC) to apply conditions on eligible role assignments using Microsoft Entra PIM for Azure resources. Microsoft Entra PIM requires end users to activate eligible role assignments to gain the permissions needed to perform certain actions. By using conditions in Microsoft Entra PIM, you can restrict a user's role permissions for a resource with fine-grained conditions, while also securing the role assignment with time-bound settings, approval workflows, audit trails, and more.

Currently, the following built-in roles support conditions:

• Storage Blob Data Contributor
• Storage Blob Data Owner
• Storage Blob Data Reader

Role Assignment can be see in the Eligible Assignment's tab

Select the Settings tab at the top to manage the PIM Azure role settings. In our case, we are managing the settings for the Contributor role.

You will see the Activation, Assignment, and Notification settings. Select Edit to modify the role settings.

We previously discussed the Activation Options in Part 1 of this blog, and there are no changes to those settings.

In this case, we will set the Activation maximum duration to 4 hours and require users to meet Microsoft Entra Conditional Access authentication context upon activation. This will prompt users to use passwordless MFA through Authentication Strength and accept the Terms of Use.

For more details on configuring Authentication Strength and Terms of Use, you can refer to my previous blog post on Entra Conditional Access policies.

Additionally, Justification and Approval are required to grant access.

The Authentication Context Configuration is highlighted in the screenshot below.

The Authentication Strength Configuration is highlighted in the screenshot below.

Entra ID Terms of use configuration is highlighted in the screenshot below.

To configure an Entra Conditional Access (CA) policy to support Microsoft Entra Conditional Access authentication context upon activation for a PIM role:

1. Provide a Name for the policy.
2. Select the desired User/Group to assign the CA policy.

In the Target Resource/Cloud Apps section, select AuthenticationContext, and then choose the Authentication Context that was created specifically for PIM.

In the CA Policy Grant Access section, select Passwordless MFA and the Terms of Use that you previously created. Then, choose the option Require all of the selected controls, turn on the policy, and finally, click Create.

We will configure the assignments as shown in the screenshot below. select Next and Configure Notification settings.

The duration for Eligible and Active assignments can be set to 15 days, 1 month, 3 months, 6 months, or 1 year.

We will keep the Notification settings at the default configuration. However, if desired, you can add additional recipients to the email notification settings. Once done click Update.

Azure Role Activation User Experience

Sign in to the Azure portal.

Navigate to Microsoft Entra Privileged Identity Management (PIM) select My roles

In the My Roles section, select Azure resources to view and manage the roles assigned to the various Azure resources you have access to.

Under Azure Resources, you will see the Eligible Assignments, including the recently assigned Azure role. The assignment will display both an Activate and Extend button. Click the Activate button to activate the role. Since this role assignment is set to expire in 7 days, the Extend button is also available for extending the assignment if needed.

Note: 1. Only administrators of the resource can extend or renew role assignments. The affected user or group can request to extend roles that are about to expire and request to renew roles that are already expired.

         2.Privileged Identity Management sends email notifications to administrators and affected users or groups for roles set to expire within 14 days and again one day before expiration. A final email is sent when the role assignment officially expires.

         3. If a user assigned to a role doesn't request an extension, an administrator can extend the role assignment on the user's behalf. Administrative extensions do not require approval, but notifications are sent to all other administrators once the role has been extended.

Note-1: You may now activate your assignments and view your access directly from blades outside of PIM in the Azure portal

Azure Role Activation out side PIM

Note-2:PIM is now accessible through the Microsoft Entra ID and Azure resource roles mobile apps on both iOS and Android.

To activate an eligible Microsoft Entra role assignment, begin by downloading the Azure mobile app (iOS | Android). Alternatively, you can download the app by selecting "Open in mobile" from Privileged Identity Management > My roles > Microsoft Entra roles.

Below screenshot shows the setup

After selecting the activate button, a new window will open, prompting you to complete an additional verification step. This occurs because we have integrated Microsoft Entra Conditional Access with Passwordless MFA and Terms of Use as part of the Azure Role activation process.

When you select the Additional Verification Banner, you will be prompted to sign in using Passwordless MFA.

After successful authentication, the Terms of Use prompt will be displayed to the user, as we have included two grant controls for the role activation through Entra ID CA Policy.

Review the Terms of Use document in the PDF format, then click the Accept button.

After completing the additional verification, the user will be redirected back to the PIM Role activation window, where they need to select the role activation duration, provide a reason for the activation, and then click the activate button.

Since this role activation requires approval, the user's request will be submitted to the approver for approval.

The approver will receive an email notification regarding this request.

The approver can click the Approve button in the email, which will direct them to the Entra ID PIM page, or they can go directly to the Entra ID PIM page, navigate to "Approve Requests," and select Azure Resources.

Select the Request and Click Approve

Note: Microsoft Entra Privileged Identity Management (PIM) allows you to configure roles to require approval for activation, and to designate users or groups from your Microsoft Entra organization as delegated approvers. It is recommended to assign two or more approvers per role to help distribute the workload of the Privileged Role Administrator. Delegated approvers have 24 hours to approve requests. If a request is not approved within that time, the eligible user must submit a new request. The 24-hour approval window cannot be adjusted.

Once the approver clicks the Approve button, they will be prompted to review the request and provide a justification for their approval before selecting Submit.

At the same time, if the user checks their "My Requests" under Azure resources page in PIM, they will see that their request is pending approval.

Once the role activation request is approved by the approver, the user will be able to see the role listed as active under "Active Assignments."

The user will receive an email notification once their request is approved.

Note: A resource administrator who believes an approved user should not be active can revoke the active role assignment in Privileged Identity Management. While resource administrators do not receive notifications about pending requests unless they are an approver, they can still view and cancel pending requests for all users by accessing the pending requests section in Privileged Identity Management.

We can verify the role activation by checking the Azure Subscription Access Control (IAM), as the role has been assigned at the subscription level.

When a role is assigned, the assignment:

• Cannot have a duration of less than five minutes.
• Cannot be removed within five minutes of being assigned.

If you navigate to the PIM Audit History section under Azure Resources for that particular user, you will be able to view the audit details related to their PIM role activations.

As the Owner\User access administrator of the subscription, if you go to the PIM Assignments section, you will be able to see the current role assignments for that particular subscription.

Alerts

Privileged Identity Management (PIM) generates alerts when suspicious or unsafe activities are detected within your organization in Microsoft Entra ID. These alerts are displayed on the Alerts page when triggered.

To manage the PIM Alert for Azure resources, navigate to the PIM Azure Resource Management page select the subscription and select "Alerts."

To configure alert settings, select "Settings" from the Alerts page.

Below are some of the currently available alert rules.

Alert	Severity	Trigger	Recommendation
Too many owners assigned to a resource	Medium	Excessive number of users with the owner role	Review the users and reassign some to roles with lower privileges
Too many permanent owners assigned	Medium	Too many users permanently assigned to a role	Review the users and configure some to require activation for role use
Duplicate role created	Medium	Multiple roles with the same criteria exist	Consolidate and use only one of these roles
Roles assigned outside Privileged Identity Management	High	A role is being managed directly via Azure IAM or API	Review the users and remove those assigned to privileged roles outside of Privileged Identity Management

• High: Requires immediate action due to a policy violation.
• Medium: Doesn't demand immediate attention but indicates a potential policy violation.
• Low: No urgent action needed, but suggests a recommended policy change.

Adjust the alert settings to align with your environment and security objectives.

You can activate the desired alert rule by selecting the specific alert rule.

PIM Azure Resource Audit

Privileged Identity Management (PIM) in Microsoft Entra ID allows you to monitor activity, activations, and audit history for Azure resource roles within your organization, including subscriptions, resource groups, and virtual machines. Any resource using Azure role-based access control in the Microsoft Entra admin center can benefit from PIM’s security and lifecycle management features. If you need to retain audit data beyond the default retention period, you can use Azure Monitor to route the data to an Azure storage account.

Resource audit provides an overview of all role-related activities for a specific resource.

1. Sign in to the Microsoft Entra admin center with at least Privileged Role Administrator permissions.
2. Navigate to Identity governance > Privileged Identity Management > Azure resources.
3. Choose the resource for which you want to view the audit history.
4. Select Resource audit.
5. Filter the audit history by using a predefined date range or setting a custom range.

Best Practices for Azure Role-based Access Control

• Grant Least Privilege Access
• Assign users only the permissions they need to perform their jobs.
• Avoid giving broad roles at wide scopes; instead, limit roles to specific resources.
• When creating custom roles, include only necessary permissions to reduce risk if an account is compromised.
• Limit the Number of Subscription Owners
• Maintain a maximum of three subscription owners to minimize potential security breaches from compromised accounts.
• Monitor this recommendation using Microsoft Defender for Cloud.
• Limit Privileged Administrator Role Assignments
• Remove unnecessary privileged role assignments to reduce security risks.
• Use job function roles over privileged administrator roles when possible.
• Assign roles at the narrowest scope, such as a resource group or resource, rather than at the subscription or management group level.
• Add conditions to role assignments that have permission to create other role assignments to constrain their capabilities.
• Use Microsoft Entra Privileged Identity Management (PIM)
• Implement PIM to provide just-in-time privileged access, lowering the exposure time of elevated permissions.
• Benefit from increased visibility through reports and alerts.
• Utilize time-bound access, where privileges are automatically revoked after a set period.
• Assign Roles to Groups, Not Users
• Assign roles to groups to simplify management and avoid direct user assignments.
• This approach minimizes the number of role assignments, helping to stay within subscription limits.
• Use Unique Role IDs Instead of Role Names in Automation
• When scripting or automating role assignments, use the unique role ID to prevent issues if the role name changes.
• This practice ensures that your automation remains functional even after roles are renamed.
• Avoid Using Wildcards in Custom Roles
• Explicitly specify Actions and DataActions when creating custom roles.
• Refrain from using the wildcard (*) character to prevent unintentionally granting additional permissions in the future.

Conclusion

Implementing PIM for Azure resource roles is essential for maintaining a secure and well-governed Azure environment. By following best practices in role assignment, activation, and monitoring, organizations can significantly reduce the risk of unauthorized access and potential security breaches.

Key Takeaways:

• Regularly audit and minimize privileged role assignments.
• Use PIM to enforce just-in-time access and approval workflows.
• Monitor PIM alerts and respond promptly to high-severity notifications.
• Collaborate with resource owners to classify and protect critical assets.