Skip to content →

Privileged Identity Management for Groups in Azure

Published April 30, 2024 by Fredrik Klingenberg

Introduction

In my blog post, https://fredrkl.com/blog/privileged-identity-management-for-azure-resources/, I looked at privileged identity management in Azure, specifically for Azure resources. This gives users time-limited access to certain Azure roles for specific resources, e.g., a storage account. However, there are scenarios where we instead want to control user access through their Entra ID Group membership, e.g., using Kubernetes (K8s) native RBAC. The https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/concept-pim-for-groups is one relatively new feature that enables exactly that. This blog post will examine how to use it and configure its policies using Powershell.

Overview

PIM for Groups allows you to grant users just-in-time group ownership or membership. In K8s, we typically bind Entra ID Groups to particular internal roles: https://kubernetes.io/docs/reference/access-authn-authz/rbac/. Without PIM for Groups, a specific set of users would potentially have too much access all the time.

As with PIM for Azure Resources, you need the Microsoft Entra Identity Protection Plan 2(P2) license.

One difference from Azure PIM for Resources is that instead of creating a temporary connection between a user, role, and resource, we create a connection between a user and group membership/ownership.

We access PIM for group management in the same way as PIM for Resources:

Demo setup

I have created a demo setup and repo at https://github.com/fredrkl/entra-pim-group-demo. The demo showcases the following setup:

graph TD %% Entities prod[team-abc-pim] team-demo[team-abc] aks-prod-owners[team-abc-owners] %% Relations team-demo --Eligible member-->prod aks-prod-owners --Approve member\\nrequests-->prod

Here, team-abc, team-abc-owners, and team-abc-pim are all Azure Entra ID groups, where team-abc-pim is a PIM for Groups enabled group.

Clicking team-abc-pim from the previous screenshot presenters:

We can activate team-abc-pim group membership since we are team-abc group members and that group is Eligible for team-abc-pim membership. Looking at the Roles shows us:

Furthermore, after clicking the Member row and then Eligible assignments:

Although a member of team-abc activates the team-abc-pim membership does not give the rest of the group members the same membership. It is possible to provide individual users with eligible access instead of groups. However, in my current project, we avoid giving individual users access and only use groups. Members are placed in those groups using access packages, which is outside the scope of this blog post.

Managing PIM for Groups

Ideally, we would like to use Terraform to control PIM for Groups. However, it is not finished at the time of this writing. You can track the progress at https://github.com/hashicorp/terraform-provider-azuread/issues/1257.

The demo repo mainly consists of 2 Powershell scripts:

  • pim-group-rules.ps1
  • assignEligibleGroup.ps1

PIM Group Rules

If we go into the team-abc-pim Entra ID Group, click settings, and then choose Member, we see:

This screen is not supported with Terraform. Unlike the PIM for Resources, we use the MS Graph Role Management Policy API. We first get the Policy assignment scoped to this membership using:

Once we have it, we update it with new rules using:

Please see the pim-group-rules.ps1 Powershell source code for more information.

The script sets who should approve any PIM Group Membership requests and enables us to make groups permanently eligible for group membership.

PIM Eligible Assignment

Now, we can run the assignEligibleGroup.ps1 script, which sets the team-abc Entra ID Group as non-expire Eligible for the team-abc-pim PIM Group membership.

The team-abc members will see the following in the Azure PIM:

Conclusion

The blog post focuses on Privileged Identity Management (PIM) for Groups in Azure, an important feature for securely managing user access within a system. PIM for Groups allows you to grant users just-in-time group ownership or membership, ensuring that users only have the access they need when needed, which can help prevent misuse of access privileges.

To use PIM for Groups, you need the Microsoft Entra Identity Protection Plan 2 (P2) license. One key difference between Azure PIM for Resources and PIM for Groups is the type of connections created. Instead of creating a temporary connection between a user, role, and resource, PIM for Groups creates a connection between a user and group membership or ownership.

The blog post provides a detailed guide on how to use and configure PIM for Groups' policies using Powershell. It provides a step-by-step demonstration, including a demo setup that showcases the PIM for Groups feature in action.

These scripts, pim-group-rules.ps1 and assignEligibleGroup.ps1, allow you to set who should approve any PIM Group Membership requests and make groups permanently eligible for group membership.

In conclusion, Azure's PIM for Groups feature offers a secure way to manage user access, ensuring that users only have the access they need when needed. While Terraform's use of this feature has limitations, Powershell scripts provide a viable workaround.

Published in architecture azure security

Tagged in
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x