Privileged Access Management protects cloud services such as Azure AD
The protection of user accounts with privileged access is a crucial factor for more security in the use of cloud services. This also increases the security of the various resources in Microsoft 365* and other cloud services. In every environment, there are users who have access to a particularly large number of resources or complete systems & applications.
The question is whether the respective user accounts need these rights permanently or only for certain tasks and at special times. In most cases, extensive permissions are rarely needed permanently. Hence, it makes sense to allow the extended rights for these user accounts only when they are needed.
Protecting admin accounts is the task of Privileged Identity Management in Azure AD. This service protects accounts in Microsoft Azure, Microsoft 365, and also in services such as Microsoft Endpoint Manager. If attackers have taken over accounts in infrastructures with these services, they can usually perform far-reaching, malicious actions. Privileged Access Management also protects cloud services such as Exchange Online, SharePoint Online, and all other services and resources that organizations use in Microsoft Azure and Microsoft 365.
Manage Privileged Access Management in Azure AD
Azure AD is managed in the Microsoft Azure Portal. This can be accessed via the URL https://portal.azure.com. Searching for “Azure AD Privileged Identity Management” in the portal opens the management interface for the service, which can be used to control access in Microsoft Azure and Microsoft 365 as well as Microsoft Endpoint Manager.
On the administration page of the service, “Azure AD Roles” shows the different roles and the possibility to protect these roles. By clicking on “Roles” you can see the individual roles that have rights to perform administrative tasks in the environment.
Taking Exchange Online as an example, the role “Exchange Administrator” plays an important role here. Users with this role can manage almost all settings in Exchange Online. By clicking on the role, the Azure portal displays the various administration options for this role.
To add user accounts to a role in Azure AD and thus also in Microsoft 365 and Endpoint Manager, it is sufficient to click on “Add assignments” in “Roles”. Afterwards, the desired role can be selected under “Select role”. In “Select members” you can then add the user accounts to the role that are to manage Exchange Online or other resources in the future, but are protected by PIM.
Privileged Access Management in Azure AD
Control access times and scenarios
Once the role has been selected and the members have been added, the next step is to determine what the access type for the role should be. In addition to the permission for administrative access, it is also possible at this point to control the times at which user accounts should be given administrative permissions in the first place. In the role settings, new members can be added and members can be removed at any time. When members are added, they automatically receive an e-mail containing information about the role.
After calling up the role, the members can be seen, and it is also possible to make further adjustments using “Settings”. In the upper area of the details, the customization can be started via “Edit”. At this point, for example, it is also possible to define the user account that authorizes administrative access for the users of the role.
In the settings for role administration, you are able to specify how long access should be allowed. In addition, it is also possible to specify that multifactor authentication is always required for access to the rights of the role. This technique should be used for all user accounts in Azure AD and Microsoft 365.
The buttons in the lower area can then be used to make further settings, for example, whether a user receives permanent rights or when rights should expire. In the settings, it is also possible to send emails when a user requests and receives the role.
Privileged Access Management in Azure AD: Roles for Administrators
In the Azure AD portal, admins and other privileged users see the roles for which they are authorized. As soon as access to additional roles and rights is requested, the approving user receives an email in which he can activate the access. However, the approval can also be done directly in the Azure portal when managing the Azure AD roles. Once access is approved, the admin receives an email that their request has been approved. All processes are also traceable in Microsoft Azure in the monitoring.
Privileged Access Management in Azure Active Directory and Microsoft 365 – Conclusion & Outlook
Privileged Access Management in Azure Active Directory is an important foundation for securely using cloud-based services such as Exchange Online, SharePoint Online and also all other services and resources in Microsoft 365.
Privileged accounts with increased rights are just everywhere. There are multiple types of privileged accounts: They can be “local” in your enterprise and/or used to access cloud services. They differ from standard accounts in that they have elevated privileges, such as the power of changing settings for large user groups.
As more and more companies move to providing their IT services hybrid – a mix of on-premise and cloud-based – the coupling of PAM in the enterprise and in the cloud is crucial for high IT security.
This is where we support you with our Privileged Access Management Services.
Our Privileged Access Management Services:
Consulting
Our profound know-how form the basis of our comprehensive portfolio of Consulting Services.
Training
We are happy to pass on our know-how to our customers and offer customized Training Services.
24/7 Support
Our 24/7 Support Services ensure that our specialists are always available to our customers.
* Office 365 has become Microsoft 365. For more information, see https://www.microsoft.com/de-de/microsoft-365/office-365
