SC-300 Microsoft Identity and Access Administrator – Privileged Access

1. Introduction to Privileged Identity Management

So in this section of the course, we’re going to be talking about privileged access. Now, privileged access inside of Azure is often called privileged identity management and abbreviated as PIM. Privileged identity management allows you to have what is called just in time, privileged access to resources. And so if somebody needs to do something in an administrative capacity within Azure ad, you could only allow them to do it for a limited period of time. This is the concept of not having somebody who’s an administrative access 24 hours a day, seven days a week, but only elevates their permission into the privileged position for those limited times. If you’re familiar with the Linux operating system at all, there is that concept of pseudo or basically not using your root user as your main account user.

This is a limited access user, but you only jump into the root user privileges for that short period of time when you need access. Now, it’s more than just a time bound access. It’s the concept of requesting access. It’s justifying access. There’s notifications and auditing involved. And again, we talked about access reviews in the last video. And so you can use access reviews to ensure that people who have privileged access continue to require it. Now, in order to get to privileged identity management within Azure, we’re in the Azure Active Directory tenant. We are in a P two premium trial right now. And off of the overview screen, you can scroll down and you’ll see privileged identity management as one of the links off of here, if we click on, that will be taken into its own service portal where we’re able to then again, manage the lifecycle of role assignments.

Now, we did talk about entitlement management a couple of sections ago. When you have people who can request access to things and then they get approved and then they have limited time, what we’re talking about here is a very similar concept, but we’re talking about administrative and heightened privileges for users and groups. So when deciding to implement privileged identity management within your organization, it’s probably a smart idea that you, for one, plan this in advance. You don’t just turn it on without telling anyone, without any preplanning. Two, you may want to try a pilot project where you enroll a couple of users into this privileged identity management and get their experience. And three, communications is really going to be the key to ensure that you have a successful rollout.

You can’t do things without properly educating and communicating with people. What’s going on? Now, once you activate this privileged identity management, some things within your tenant are going to change a little bit. So, like, if we were to go into, say, manage access, we can see now we are basically looking at the roles and we’re looking at users who are assigned to that role. But now we have this concept of Active and eligible. So there are users who currently have active access to a particular role. And then there are users who are eligible to be part of that role, but then they have to request to be assigned that role. And then that request is only active generally for a limited time. So let’s look at an example of this.

Let’s say we have our helpdesk. Administrator okay, go into there. Now, if I go under Active assignments, currently I have both a test user and a teacher who are assigned to the Helpdesk Administrator. We did this in a previous video, and we can see that they are active, they are assigned, and it’s a permanent assignment. So there’s no temporary element to this. This isn’t a just in time assignment. This is a person, or two people in this case who have permanent access to the Helpdesk Administrator role. So what if we wanted to add a third individual to this role, but we’re going to use the new privileged identity management metaphors in terms of limiting their scope. So I went into Add Assignments and I’m going to select a new member. I created this Helpdesk member as an example.

So we’re going to add the Helpdesk user. So this is the Helpdesk Administrator role in the Helpdesk user. And now we’ll see on the setting tab, we have those two assignment types. So the one is eligible. And this is like I said, people need to then apply to get access, but they have been marked as being eligible to apply. And then the other part is active. And you’ll see there’s this permanently assigned checkbox, which is pre checked, but I could uncheck it and I can say, okay, this person has the Helpdesk Role Administrator for a month. Let’s see. So we give them a one month access to this role. And again, Azure will take care of unassigning it when that time comes. And again, it’s all a very limited access.

So helping out with support tickets temporarily, whatever the justification is, we can then make this person either currently active or eligible. Actually, I’m going to change this to eligible, and we can I guess I have to do that again. And so basically, I’ve now assigned this Helpdesk member as being eligible to request this role, but they’re not currently active, and there’s a time when they can request it, and after this they can’t request it again. I can also change, I can extend this time if that is something that we need their help beyond a certain date. So it’s a pretty cool feature overall in terms of just in time access, requesting access, not walking around all the time with all the maximum permissions that you could possibly, possibly need at any one time.

2. Assigning Roles with PIM

Now, besides Azure Active Directory roles, the administrative roles, we also have the same ability to give privileged access for limited periods of time to actual Azure resources. And we’ve seen previously in this course that I can go to a resource group and assign a user a role in that resource group or to an individual resource. And so we have this ability within PIM as well. Now, unfortunately, I’m using an account here that does not have a subscription. So I can say discover resources. And I don’t have any resources. So I’m going to switch to a directory that I have that has resources. So we’ll just do a quick switch Directory and let’s go back to Azure Active Directory into Privileged Identity Management, into Azure resources. And as you can see here, even for this directory that has resources, I have to use this Discover resources.

And so here is it is found to subscriptions that I have access to. So I can choose one of those subscriptions and say managed resource. And basically what it’s going to do, it’s going to switch the role assignment feature for these subscriptions from the old model or the current model to the new PIM model. This is very interesting for me. The actual user interface changes, as we saw to this start date, end date, the assignment type, whether it’s an assigned resource or an allowed resource. So eligible resource. So I’m actually authorizing PIM to change the assignment to this. So let’s say, okay, live on the edge, right? So now it’s basically moved the entire subscription under the PIM model, all right? So if I was to now you can see the resources now showing up on the screen, and I can see the subscriptions and the roles, and then I can go into it and I can see the actual resource assignments in a very similar set up to the ad assignment.

And so now what I can do is I can grant users either eligibility or active access for short time or permanent time to those individual resources. So I’m going to click on the roles screen here, and what we’re going to see is the non Active Directory roles, for instance, the ability to operate virtual machines. So if I said Virtual Machine Operator, go into there, I’ve got the same eligible, active and expired view of this, I can then say I want to add the Help Desk. I don’t have the Help Desk, but let’s say I add John Doe to this role for this subscription. And you can see here that in this particular case, when it comes to roles, there is no option for permanent access. Maximum allowed duration is one year.

And so I can grant Help Desk Virtual Machine Operator to John Doe, make him eligible for the assignment up to one year. If I want to make him active, then he can have up to six months of active assignment. And so this is under the privileged Identity Management Model for managing short term assignments. Now, I can still go back to the traditional way of just permanently assigning roles outside of PIM. So for instance, if I go to I’m going to cancel out of this and go into one of the resource groups here and I can say Access Control add role assignment. Remember we had the virtual machine operator? Am I going to have to scroll virtual machine operator role? And I can add John Doe to that role and I can just say Review and John Doe will be permanently assigned.

So the traditional way of assigning still exists. But if you go through the privilege identity management model, then this role is a short term thing and against the principle of lease privilege in terms of ensuring users only have access to things that they need to have access to and requiring justification for continued access, again in the same vein as Access Reviews and the same vein as Eligibility Entitlement Management. So we are just continuing on that metaphor through Privileged Identity Management.

3. Emergency Break Glass Accounts

So we’ve been talking a lot in this course about protecting the identity system and of course that is super important. Your identity system is one of your largest attack surfaces for hackers. And if a hacker was able to get an administrative or a powerful level account access, then they’re able to go and wreak a bit of havoc, get some information they’re not entitled to, delete resources, do some pretty nasty stuff. And so we are really trying to focus on protecting the identity and access to resources. But there’s a danger, there’s a danger in all of these protections. And so we are going to talk today about the concept of an emergency account. So what is that? Well, this emergency account is usually a single Azure administrator account that is only used in case of a real emergency.

So you may have accounts that are assigned to individuals. So Bob and Jane and Julie and Scott get access to administrative accounts for their roles. But what would you do if every administrator in your company got locked out of logging in? The password stopped working, the MFA system wasn’t working, something was blocked and not one single person could log in. You’d be in a bit of trouble. And so yes, you could open a ticket with Microsoft and that would be some ordeal to get access to your account back. But you may want to have access sooner than that. There is the concept of all these things we’ve been talking about from entitlement management privilege, identity management, conditional access, various access policies.

There is a possibility that you go in there and you say if somebody is identified as low risk, you block them from logging in and suddenly every user in your organization is no longer allowed to log in, including your administrators. So there is ways of locking everybody out by mistake. There’s also the concept of requesting privileges and so you don’t actually have them, you have to apply for them. What if there’s nobody who’s eligible to approve those requests? That’s another type of thing that can come along. So this concept of an emergency account, very similar to a fire alarm or to a fire extinguisher or things like that, where you do have to open the case only in terms of emergencies.

So this emergency account, I’ll give you some general guidelines for creating it. First of all, you probably don’t want this account to have additional identity protections on it. So don’t enroll that account at MFA. Make sure that that account is singularly not enrolled in NMFA and doesn’t have to be enrolled in MFA. You also want to make sure it’s exempt from certain policies. And so you go through your conditional access and you basically put on the exclude tab this emergency account. Now think about keeping this account safe. So if you’re going to have in a single account that has elevated privileges but has reduced protections, you are going to want to lock this account away.

So you’re going to have a complicated user name, a complicated password. It has to be kept in a secure spot known only to a few individuals. Azure’s documentation even suggests that you separate out the password into two halves or three thirds and basically have one person knows half the password, another person knows the other half of the password. You physically put it on a piece of paper, print it out, lock it in a secure location in your office. This reminds me of how the military sometimes is shown as having a what’s called a two man system where you need two keys to get access to a nuclear missile or to a secure storage. Your bank vault sometimes may require two keys, one from you and one from the bank.

And so this is a concept that Microsoft is endorsing when it comes to this account. Now the other thing about this account is, again you do not want to be using this as a day to day account. And so you probably should make sure that when it is used that there’s actual notifications that go out. So you can set up an alert system that sends emails or text messages to your administrative group and says the emergency account was used. That would be probably a good idea to set up monitoring and auditing. And finally, like any backup process, emergency process, you probably need to test it. So don’t just create an account that you have never logged into even once and then expect it to work when you need it.

So you set it up, you ensure that it’s blocked out of conditional access and MFA. You create the password, you log into that account, you ensure if there’s an email address tied to it, that that email is working. And perhaps you want to just set up a regular process of making sure that your emergency account is still working. Because when the emergency comes is not the time to find out that the password expired. And to reset the password you need access to an email address that doesn’t exist. Then you have to go to your email administrator and beg them to create this email as quickly as possible. So yeah, get that stuff tested. As is normal for any kind of emergency backup.