Just in time, approval and notification for admin roles in Microsoft 365
Up until now, we've worked with permanent admin role assignments. Essentially, the user account is an admin until the user account is removed from the admin role. But there's another option. Just in time privileged access. Microsoft calls this Privileged Identity Management (PIM). With PIM users only have admin roles for a limited time. And before they activate the admin role they can be required to get approval.
Licenses required
First things first. What licenses are required to use privileged identity management? You'll need an Azure AD Premium P2 license. It's also included in the Enterprise Mobility + Security (EMS) E5 license.
Assign a role
Now let's assign a role using PIM. By default, the role can only be active for 8 hours. So let's give a user a permanent role assignment.
1. Go to Azure Active Directory admin center > All services > Azure AD Privileged Identity Management.
2. Click Azure AD roles > Assignments > Add assignments.
3. Under Select role select Global Administrator. Click No member selected. Select the user you want to add. Click Select. Click Next.
4. Click Assign.
How to activate a role assignment
Once you assign a user an eligible role the user will receive the following email:
1. Click View or activate role.
2. Click Activate.
3. If additional verification is required click continue. Finish the authentication.
4. Set a reason. Click Activate.
Review role assignments
As an admin, you may need to review who's assigned what roles. Let's take a look.
1. Go to Azure Active Directory admin center > All services > Azure AD Privileged Identity Management.
2. Click Azure AD roles > Assignments.
Under eligible assignments, you'll see the user you added. These users have a role assigned through PIM that needs to be activated.
Click Active assignments. These users currently have roles. If you look under state you'll see two different states: "Assigned" and "Active". Assigned users have the role assigned to them permanently. They'll always have admin rights. Activated roles show users that are eligible for assignment and have activated the role.
Update Settings
So now we've configured a user and we know how they can activate the admin role. But we've got a problem. The activation should only be 1 hour and another admin needs to approve the activation before the role is activated. Next, we'll disable the permanent assignment of the role. Finally, we'll make sure an admin is notified when the PIM role is activated.
1. Go to Azure Active Directory admin center > All services > Azure AD Privileged Identity Management.
2. Click Azure AD roles > Assignments > Settings.
3. Click Application Administrator > Edit.
4. Set the Activation maximum duration (hours) to 1. Click Require approval to activate. Click No approver selected. Select the admin to approve. Click Select. Click Next: Assignment.
5. Uncheck Allow permanent active assignment. Click Next: Notification.
6. Set an email address in the Role activation alert additional recipients. Click Update.
Who can approve the admin role assignment?
Only global administrators and privileged role administrators can approve the admin role assignments. Let's try it now. Walk through the "Assign a role" steps above but this time grant someone the application administrator role. Then login with the user you made eligible for the role and activate the role following the "How to activate a role assignment steps above".
How to approve activation of a role
1. Once a user requests a role the approver will receive an email with the subject "PIM: Review User's request to activate the Application Administrator role". In that email, click Approve or deny request.
2. Review the request then click the checkbox next to the role. Click Approve.
3. Give a justification and click Confirm.
