Skip to main content
Skip to main content
Microsoft Security

Cloud security controls series: Azure AD Privileged Identity Management

  • Tim Rains

Securely managing access to privileged accounts has been a challenge for many of the CISOs I talk to. Many of these CISOs worry that their organizations have too many permanent accounts with high levels of privilege in their environments. Some examples of the threats that keep these people up at night include malicious or rogue administrators, administrator credentials leaked via phishing attacks, administrator credentials cached on compromised systems, user accounts granted temporary elevated privileges that become permanent.  More and more organizations are realizing that they have to strictly manage privileged accounts and monitor their activities because of the risk associated with their misuse. But many organizations are struggling to truly embrace the principle of least privilege across their large, complicated environments. I frequently get asked for best practices for managing and monitoring administrator accounts.

Working with privileged accounts in the Cloud is no different; using the principle of least privilege with Cloud resources makes as much sense as it does for on-premise resources. This is an area where Azure AD Privileged Identity Management can help. Azure AD Privileged Identity Management will help you discover the Azure Active Directory privileged administrator roles and the user accounts they are assigned to. It will also enable you to revoke permanent privileged access and provide a mechanism that manages on-demand, time-limited access for Azure Active Directory privileged accounts. This is the “just in time administration” functionality that so many CISOs I have talked to have been looking for. Azure AD Privileged Identity Management also provides reports on administrator access history and changes in administrator user account assignments.

You can get Azure AD Privileged Identity Management in the Azure Preview Portal as seen in Figure 1. Note that you’ll need the Premium edition of Azure to get this feature – yet another important security feature that justifies getting the Premium edition.

Figure 1: In the Azure Preview Portal click “New”, “Security + Identity”, “Azure AD Privileged Identity”; once installed it will appear on the Startboard in the Azure Preview Portal
0723 Figure 1

One feature of Azure AD Privileged Identity Management that I’ll highlight here is the “just in time” administrator functionality that I mentioned earlier. Azure Active Directory enables granular administrative control of resources. Users can be given privileged roles that enable them to do different administrative functions for their organization. Examples of these roles include Global Administrator, Billing Administrator, Compliance administrator, Service Administrator, Password Administrator, User Administrator, and others. Many customers will take advantage of Office 365 workload specific roles such as Exchange Administrator, SharePoint Service Administrator, and Skype for Business Administrator. When managed by Azure AD Privileged Identity Management, user accounts that have these roles assigned to them are essentially non-privileged users until they are activated into their assigned privileged role. When the user needs to perform an administrative activity that requires the privileges that their privileged role provides, they simply start Azure AD Privileged Identity Management in the Azure portal and activate their membership in the role they have been pre-assigned. Now they will be able to perform the administrator function for a limited period of time before the activation expires. Figure 2 is an example of the privileged account activation process in Azure AD Privileged Identity Management.

This process provides a few important advantages over the standard administrative model. First, it helps minimizes the number of accounts that have standing administrator privileges. The fewer administrators surfing the Internet and reading email, using privileged credentials, the better.  The second advantage of this approach is that it minimizes the amount of time that privileged accounts are active – they are only used when they need to be used and are otherwise dormant. This makes an audit trail that has less noise and that can actually be used to understand when and how privileged accounts were used. Another big advantage of this approach is that it provides an excellent place to enforce multi-factor authentication that will help mitigate the risk of leaked administrator credentials. Forcing users to use multi-factors to authenticate when they need to activate their privileged roles also provides a level non-repudiation that helps manage the “insider threat” scenario that so many of the CISOs I talk to worry about. If administrators know they are being monitored and their activities are being logged and are easy to audit, they are less likely to take liberties or be sloppy with the privileged credentials they have been entrusted with.

Figure 2 (left): I activated my role as a Security Administrator in Azure AD Privileged Identity Management which gave me the privileges of that role for 50 minutes; Figure 3 (right): each privileged role has settings that can be configured that define the activation duration, whether to automatically send notifications on activation, and whether to require multi-factor authentication for activation
0723 Figure 20723 Figure 3

Azure AD Privileged Identity Management has a lot more functionality than I covered here; the Azure team has published some good resources so that you can learn more:

Azure Cloud App Discovery GA and our new Privileged Identity Management service
Azure AD Privileged Identity Management
Azure AD Privileged Identity Management (video)
Privileged Access Management for Active Directory

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection