Introduction
Azure's Privileged Identity Management (PIM) is an essential service that helps manage the security of your organization's resources. It allows you to effectively manage, control, and monitor access within your organization for the following areas:
- Azure Resources
- Azure Roles
- Azure AD Groups memberships
One of the most distinctive features of PIM is its provision of just-in-time privileged access. This means that necessary permissions and accesses are granted precisely at the moment they are needed and expire after a predefined period. This significantly reduces the risk of security breaches by making it harder for attackers to access sensitive resources.
This blog post will examine how PIM works for Azure Resources and how to manage it through Powershell.
Overview
PIM is part of the Microsoft Entra Identity Protection Plan 2 (P2), and you will need a license. Follow the steps in the PIM section in Azure to purchase and enable it. Once you have the license in place and enter the Azure PIM, you are presented with the following screen:
For a full overview of all PIM Azure features, please see https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure.
The PIM landing page has mainly two areas:
- Tasks
- Manage
PIM Tasks
Here, you activate your available roles, which are called Eligible assignments. You can view your current active role assignments and the expired ones. Additionally, you can request to activate a new PIM role, approve others, and review access.
PIM Manage
PIM Management is, as the name suggests, where we create new eligible assignments. For all possible PIM areas:
- Resources
- Roles
- Groups
This blog post will focus on the management of Azure resources.
PIM for Azure Resources
This is where we can create PIM rules for Azure resource access. In effect this means that after enabling it the user will get a spesific Azure role, e.g, reader for a particular resource, e.g., resource group, subscription , storage account. Following the guide, we narrowed it down to where we wanted to apply a rule. In the screenshot below, we see that we apply it to the subscription named Subscription 1.
Clicking manage resource and then setting presents us with the following screenshot:
In short, this shows us the PIM settings for the different roles for this particular resource, which is the entire subscription in this case. Of course, it is possible to scope it further down into resources within it, e.g., resource groups, storage accounts, and key vaults.
After clicking the Owner Role, we have the following screen:
At the time of this writing, these settings are not particularly well supported through Terraform. The Privileged Identity Management (PIM) · Issue #68 · hashicorp/terraform-provider-azuread (github.com) gives the full track history spanning all the way back to 2019.
It is possible to send HTTP requests and manage them through any other scripting language, but for this blog post, we will use Powershell. Although I am not a very big fan of Powershell, it gets the job done in this particular case.
Managing Azure Resources PIM settings
I have created a demo GitHub repo over at https://github.com/fredrkl/ad-pim-iac-demo showing how to:
- Add an Azure AD group as an approver
- Remove the expiration date for the eligibility assignment requirement
- Change the
maximum durationfor PIM assignments
See the repo README and code comments for an in-depth description of the code and how it works.
Conclusion
In conclusion, Azure's Privileged Identity Management (PIM) is a crucial tool in managing and securing access to your organization's resources. Its just-in-time privileged access provides a robust security measure against potential breaches. Although some of its features are not yet fully supported through certain platforms like Terraform, using languages like Powershell can effectively manage these settings. As organizations continue to rely heavily on cloud resources, understanding and effectively utilizing services like PIM will be pivotal in maintaining secure and efficient systems.