Azure Privileged Identity Management (PIM) provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about with the following license required
- Azure AD Premium P2
- Enterprise Mobility + Security (EMS) E5
- Microsoft 365 Education A5
- Microsoft 365 Enterprise E5
Activate Azure Privileged Identity Management
Privileged Identity Management is activated automatically when a user who is active in a privileged role in an Azure AD organization with a Premium P2 license goes to Roles and administrators in Azure AD and selects a role (or even just visits Privileged Identity Management)
Discovery and insights (preview)
This feature shows you who is assigned to privileged roles in your organization and how to use PIM to quickly change permanent role assignments into just-in-time assignments.
List who has privileged roles in your organization and remove those who no longer need the roles by clicking on Reduce Global Administrators & Eliminate Standing Access
Refer to Discovery and Insights (preview) for Azure AD roles (formerly Security Wizard) for more detail
To reduce the risk associated with stale role assignments, you should regularly review access. You can use Azure AD Privileged Identity Management (PIM) to create access reviews for privileged Azure AD roles
Click New to create a new Access Review
To review who is assigned with Global Administrator role with Access Review created to be executed on every month
Select the Reviewers
Email will be delivered to the Reviewers. Click on Start Review to login to Azure PIM
Review the Recommended Action to decide whether approve or deny the users to holding the role
Refer to Create an access review of Azure AD roles in Privileged Identity Management for more detail
Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in your Azure Active Directory (Azure AD) organization. When an alert is triggered, it shows up on the Privileged Identity Management dashboard. Select the alert to see a report that lists the users or roles that triggered the alert and resolve it
Fix the alert by following the recommendation action provided
Refer to Configure security alerts for Azure AD roles in Privileged Identity Management for more detail
Assign Azure AD roles
Install AzureAD Preview Module
Note that you cannot install both the preview version and the GA version on the same computer at the same time.
Connect to AzureAD
#Connect to AzureAD Import-Module AzureADPreview $Password = "xxxxxxxxxxxxxxxxxxxxx" | ConvertTo-SecureString -AsPlainText -Force $UserName = "[email protected]" $credential = New-Object System.Management.Automation.PsCredential($UserName,$Password) Connect-AzureAD -Credential $Credential
List All AzureAD Role Defination Name with ID
$TenantID = (Get-AzureADTenantDetail).objectID Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $TenantID | Select DisplayName | Sort-Object DisplayName User Account Administrator fe930be7-5e62-47db-91af-98c3a49a38b1
Assign User Account Administrator Role to a user called [email protected]
-Type ‘adminAdd’ – Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multi-factor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
-Type ‘UserAdd’ – Active assignments don’t require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role at all times.
#Define Schedule $schedule = New-Object Microsoft.Open.MSGraph.Model.AzureADMSPrivilegedSchedule $schedule.Type = "Once" $schedule.StartDateTime = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ") #Valid for 2 Days #If the value of endDateTime is set to null, it indicates a permanent assignment. $schedule.endDateTime = ($schedule.StartDateTime).AddDays(2) #Define Username $UserName = "[email protected]" $User_ObjectID = (Get-AzureADUser -ObjectId $UserName).objectId #Define Role ID $RoleName = "User Account Administrator" $RoleID = Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $TenantID | ? DisplayName -eq $RoleName #Assign Role to User Open-AzureADMSPrivilegedRoleAssignmentRequest -ProviderId 'aadRoles' -ResourceId $TenantID -RoleDefinitionId $RoleID.Id ` -SubjectId $User_ObjectID -Type 'adminAdd' -AssignmentState 'Eligible' -schedule $schedule -reason "Assign Role with PowerShell"
List Role Assignment for particular Role or User
#List Role Assignment for Particular Role Name $RoleName = "User Account Administrator" $RoleID = Get-AzureADMSPrivilegedRoleDefinition -ProviderId aadRoles -ResourceId $TenantID | ? DisplayName -eq $RoleName Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId $TenantID | ? RoleDefinitionId -eq $RoleID.ID #List Role Assignment for Particular User $UserName = "[email protected]" $User_ObjectID = (Get-AzureADUser -ObjectId $UserName).objectId $SubjectID = "subjectId eq '$User_ObjectID'" Get-AzureADMSPrivilegedRoleAssignment -ProviderId "aadRoles" -ResourceId $TenantID -Filter $SubjectID
User will need to Activate the role assigned when he receives the following email
Click Activate and provide the credential to login when prompted
User should be able to manage user in M365 Admin Center now