Azure AD Privileged Identity Management (PIM) - AZ-500, SC-300 Deep Dive Topic

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Great content as always John - Thanks!!

👍︎︎ 1 👤︎︎ u/eastlakebikerider 📅︎︎ Mar 16 2021 🗫︎ replies

You are the one of the best teacher that I have ever seen

👍︎︎ 1 👤︎︎ u/Apprehensive_Bus2548 📅︎︎ Mar 17 2021 🗫︎ replies

Captions

hey everyone in this video i wanted to dive into azure ad privileged identity management pim and this is all about the idea that hey i don't want roles just assigned permanently to users or maybe groups and instead i want to use it only when i need it just in time as always if this is useful a like subscribe comment and share is appreciated so if we think about our organization has an azure ad tenant now in that azure ad tenant we have things like users so these could be cloud users actually created directly in azure id these could be synchronized users from active directory using things like azure ad connect id cloud sync or they may even be guest users so these might be coming in through kind of b to b that could be a microsoft account a different azure id tenant a gmail a one-time passcode a samuel wsfed even facebook account so if all these different accounts um in my azure id now i can also have groups and once again these groups may actually be kind of created directly in azure ad they could be synchronized as well and then we can have these users placed inside these groups and then we have the idea that we'll great this there's that azure id and then there are many types of service that trust that azure id and use it for the authentication we can think about well there's things like the microsoft 365 cloud there's things obviously like azure there might be third party cloud services out there it might be applications that i create so i actually create my own kind of app registrations and i trust my azure 80 tenant so i can really focus when i think of pim about the idea that well there are roles in azure ad so i can think we have these various roles in azure ad which really just sets of various permissions now we can look at these if i jump over and we go and look at my azure active directory i can go to my roles and administrators and i can see all these different kind of roles and you'll notice they are more than just azure ad i can see ones like halo dynamics 365 i can see ones around exchange admin there are things around intune administrators so there are other roles related to various services and each of these roles have different sets of permissions if i click on for example help desk administrator well under the description i can actually see the role permissions it has and then what i can do traditionally is well hey i'll assign this to someone and if i do my ad assignment just kind of super quickly and select you'll notice what it's showing me is pretty much all users now you might notice there's a couple of groups but the reality is most of my groups are actually missing so this is because for my azure aed roles i can assign those roles primarily to users now there is a special type of cloud group so not synchronized group a special type of cloud group that has a signed membership i i'm manually adding people to it's not based on a dynamic membership rule where i look at some attributes and it's actually been configured as kind of this as assignable so it's a special flag i actually set on it when i create it it's called is assignable to roll and that lets me also grant azure ad roles to the group if we actually go back again just super quickly you'll notice there's a couple of groups here that are shown when i create a group i have this option of well hey look can azure adrolls be assigned to the group now if i set that to yes you'll notice the membership type is grayed out it has to be assigned and it cannot be a synchronized group so in this case hey i can actually grant those roles in azure id to that special type of group as well it has to be a cloud group remember it's created in azure id it's not synced this would be a synced kind of group it has to be manually putting people in it assignable and it has to that is assignable to roll now azure id primarily is a flat structure there is no organizational units now there is a concept in azure ad called administrative units so i can kind of create these administrative units and then put users and put groups into it and then i can delegate people a role there's only a certain set of roles so it's giving it a limited scope so just keep that in mind if i think about azure id there's the whole azure id tenant and then hey i can actually put users and groups into an administrative unit and then grant a role at that smaller scope so we have that as well and then we're going to focus on azure as well so once again azure has a very rich set of role-based access control now when i think of azure i've kind of drawn it to the side over here but realistically there's a whole set of hierarchies in how i can do permissions with azure azure fundamentally there's that azure id tenant at the top then you kind of have this root management group then i can have a whole hierarchy of management groups and then finally i create a subscription and then i create one or more resource groups into which i create resources and again i can create a whole set of roles which are really a list of actions based on the resources that define in resource providers so it's really a whole set of actions that are put into a role and then i assign that to a user or group now for the azure roles hey i can do it to any of those groups i can do it to cloud groups i can assign it to synchronized groups um it's far more flexible so when i think about those roles it's that kind of full gambit of all of those different kind combinations and i can set it at any of these kind of levels different management groups subscriptions resource group even the resource itself so those different places i can actually assign it again to a user or group and once again we can look at one of those so if this time i actually go and look for example at a resource group that's kind of a very broad thing and i'll just pick anyone it really doesn't matter look at the access control i can look all the different roles which will show me pretty much all of them because the resource group can really contain anything and if i just look at one of them this might say a little bit more interesting backup reader sure so if i look at permissions looking up here at the top hey i can see all the different resource providers that it has different permissions from and i can see exactly what they are so these are all the different resource types within that resource provider and then what are the actual actions there's the basic read write delete and then there are others so if i select that then i can see the other permissions that it's been given so i have that role and then i can assign that role to a certain user or group add a certain scope obviously it's inherited down so the higher up i grant that role well it would get inherited to child management groups to child subscriptions child resource groups child resources so we have these two types of roles azure id and azure roles now ordinarily we would just grant those to azure id traditionally it's been to a user but now we could do this special type of cloud is assignable to role group or in azure the preferred approach just give it to a group then i add users into the group but we tend to just give it to them and the pain point is well that's then kind of this permanent assignment so what happens is now i'm always walking around with this high level permission but obviously makes me kind of prone to maybe attack if someone attacks my credential they just hey have that heightened permission for me as a user i might do something accidentally and if i'm signed in with high permissions my accidental action could be far worse than if i had this very basic set of permissions it's the same as user access control in windows when we sign in no matter what permissions we have it actually gets cracked into two different tokens it's very basic and then this one with our higher permissions we have to kind of click that user access control yes i'm giving permission to elevate up to that higher set credentials so i can do the things when it actually needs the permission rather than me just running with it all the time also my experience wouldn't be great that if i have these higher permissions i should be mfang all of the time so i'm just reading my email i have to mfa so i get that muscle memory of just yes yes yes mfa that's a bad thing i want to get an mfa prompt only when i'm doing something of a higher permission or maybe some heightened risk is detected so we want to move away from the idea that hey we just always have these permissions instead i want to think about i get the role only when i need it i want a more controlled method of giving the roles because another pain point is if i've been at a company a long time hey i do a certain job i need these roles then i change role into another job i need these roles hey i'm working on this project i need these roles people often forget to remove them so i want that idea that i get the role only when i need it and you'll hear this called just in time jit i can elevate up to get a roll for a period of time maybe an hour and then it goes away and when i do this jit when i do that higher thing that's when maybe hey as i'm elevating i do an mfa maybe i have to write down a justification so i can track it in the audit of hey why did i do this maybe it requires an approval so i can set different things for actually what i'm going to do as part of that and it gives me that much better control of the role maybe i'm just giving it to someone but it's for a time window so it also gives me kind of this time bombed capability it's a limited assignment for me now azure ad producer density management is an azure ad premium p2 feature so i do have to have kind of the right licensing to be able to use this feature and also around all of this stuff is things like audit i can go and see my own elevations the administrators can go and see those elevations i can also have things like notifications i can have emails fired off for various people to say hey this elevation this grant has been done and this all ties into the idea of kind of access reviews so access reviews is another kind of p2 feature but it lets me say hey periodically or one-off let's go and check that these people still need this role or this group membership or this app access or maybe i'll delegate that check or make it a self check yes do you still need this well yes i do and then act on it so let's actually look at this in a bit of detail and understand exactly what this is now to manage pim initially i have to be a global administrator or a privileged role administrator and when i think about using this pim i'm basically doing an assignment i'm saying hey with pim i'm assigning either this azure ad role or this azure role or we'll talk about groups in a second as well and what i can do is when i'm doing that pim i can actually assign it in one of two ways i can assign it making it eligible and when i make it eligible that's hey i have the right to use that role but it's not just standing it's not active all the time i have to actually go and elevate up for that time window or i can make it active so i'm assign it to someone they don't have to do anything it's just always active now that would be more common if maybe i have someone who day in day out needs the role maybe it's a help desk admin it makes no sense to make them eligible and they have to activate every time they want to do something every hour every two hours but the benefit of using pim here is it's still tracked i could still do things like that time bombing so hey i'm going to give it to you but it's for a time limited window think of a contractor and they're coming in they're working on a project for three months and they're working in a certain resource group well hey i could make you contributor you're active you don't have to elevate up but it's only going to last for three months after that it's going to automatically be taken away i'm not worried about the idea of these mounting permissions over time i have great visibility into it and again i can kind of pair that up with things like access reviews so let's start with azure active directory and actually dive into what i can do around pim so if we jump over and i'm going to use kind of two accounts i'm going to use my account and then clark kent is going to be the user we're going to keep assigning it to so clark kent has a p2 license as well because they're going to use the pin functionality to actually elevate up to roles so we'll actually start off so i'm the administrator i'm john so i'm going to go to my so i'm just looking at azure idea of my users groups and things like that now what we'll see if i go to my home i can search for pim and there's privileged identity management now i could also do aad.portal.azure.com is an azure ad focused portal and then you'll see i've got my favorites i could do all services and i can tag the service by clicking the little star to make it show up on my favorites list so this is all focused around azure ad so as administrator i'm going to go to azure 80 privileged identity management now straight away it's giving me some things to get started i can kind of see what's new and i could see the roles i have so i actually have things that for me as a user of pim hey i can elevate up and become a teams administrator i can see what assignments i just have active for azure ad i can see ones i had in the past that have now expired but if it was within kind of last 30 days i could actually request to renew it i can also see what my roles i have around azure resources so i can see all the different active assignments i have for azure resources i've quite a lot and even this groups thing that's in preview but we'll come back to that so that's me using pim and i'm going to show more of that as clark kent i can see requests that i have outstanding i can see requests that require my approval maybe someone's requested an elevation i have to approve it maybe someone's requested an extension or a kind of renewal i can do an access review from over here but i'm going to start off looking at management and i'm going to start off with azure ad roles now remember i'm in a certain azure 80 tenant so i'm going to focus on this management part and again this is all azure ad so firstly i can see all the different roles i can manage and once again we're going to see all these built-in roles but you can have custom roles in azure ad as well so i have this very limited role i created so in azure id i can create a custom role it's really focused around app management today that may change in the future but i can manage that with pim as well and now what i can do is for each of these roles i have a number of settings so i could pick for example global administrator now i can see current assignments that are out there and i can add assignments but firstly i'm going to go to role settings so these are the settings for this specific role and i can get there the same way if i just went to settings and it's just going to show me all the roles here as well i can order it by roll once again i can just go to global administrator so i'm going to do edit and we'll see we have these different options so the first set of options around activation so activation is when we are eligible for the role so we're going to make someone eligible they're allowed to elevate up to it so i can say well what's the maximum duration so it can be up to 24 hours for the request and they can change it to a smaller value at time of elevation when they perform the activation what do i require now for something like global admin i really probably do want azure mfa i want to make sure it's a strong authentication if it was something lesser maybe some kind of just reader role maybe i don't require azure mfa now if they already have a strong authentication when they did the login it's not going to make them mfa again if my token has hey they've done a strong authentication i'm good but it's based on the idea that hey i did a simple authentication so i was just doing some basic checking my email whatever and now i'm elevating up because i want to use that bigger permission at that point it will make me do the mfa and notice i can also say well i want them to enter a justification so a reason that's going to go in the audit i can require a ticket information like a ticket number i could require an approval and then who has to approve it and then i'm saying well what actually is the assignment now remember i can make it eligible i can make it active so what i'm saying here is allow permanent eligible assignment now i've got that set to yes if that was turned off then i can set a maximum eligible assignment to a certain duration so what this is saying is remember i'm granting this role to azure id to a principal a user for example and if i'm making it eligible what this option is saying is hey when you grant them this by a pim are they going to be eligible forever i allow permanent or do you want them only to be able to be eligible for maybe a year or six months so even though it's not active all the time they elevate up i don't want it to just be there i still want a time bomb for what duration of time they are allowed to elevate up to that actual role so that's what that's doing there likewise do i allow a permanent active so that's when it is just active they don't have to elevate up i'm going to grant them the role and it's just there they automatically have that so again i might say no i don't want to do permanent active um you can have it for six months i can say he if it's an active assignment or do i want to start making them do mfa do i want them to do a justification on the active assignment so when i'm doing that why am i doing this and then i can configure notifications hey if it's assigned if it's assigned to the person if it's active if it's eligible when they activate the role i have all these different configurations around sending notifications so this is the settings of the role itself and i have this for every single one of the various roles so some of them you might want more notifications than others some of them you might want approval some of them you might want mfa i can go through that once i've configured it well then i can do assignments so here i can see assignments that i've done already notice clark kent has quite a lot of them but i can add an assignment so i do an ad assignment notice here first thing i do is well which role am i assigning now let's pick authentication policy administrator and notice when i'm selecting who am i going to give this to it's only showing me users and those special cloud groups i have a whole bunch of groups they're not showing i'm only seeing groups that are cloud groups that have that is assignable to role so i could assign it to a user i could assign it to a group let's just pick a user now notice the scope type is set to directory it's not showing me my administrative units that's because this role is not supported by administrative units if i change this to something like global administrator that is supported by administrative units well then it's going to give me a scope option now i can change it to administrative unit and i can set hey i want to grant this at this particular level rather than the entire azure 80 tenant and then i get to pick well how am i assigning this am i making them eligible i remember they have to elevate up and i can set well what is the time window even though it is allowed to be permanently eligible i don't have to deploy it that way i can actually say no you're in this role for three months i want you to be eligible to activate up for three months then it's going away automatically so i don't have to remember oh the contract ended so even though it's eligible i still don't want it to be forever or i can just make it an active so it's just going to be active straight away once again i could set a time window and because i set that option that i have to enter a justification i have to as the administrator assigning it say well why are you giving this so i would say okay well i'm permanently assigning it for and i can make again make it a smaller window if i wanted to we'll do that window time to change stuff and i would click assign i'm not going to do that but that's how i would actually go through and do an assignment it also has this discovery and insights this is kind of nice because what it's actually going to do is show me some things around kind of best practices like i have three permanent global administrators uh they want it to be i think success in two and five and normally we have two kind of break glass global administrators so those don't require pm because something is saying goes wrong i still want to be able to manage my azure id in a disaster so documentation actually walks through creating break glass i wouldn't normally use them these special kind of accounts that does about highly assigned roles if i have service principles with privileged role assignments so just giving me some insight into my environment and things i might actually want to go and and think about focusing on so i've now kind of set this up remember i could have done it that administrative unit level if i actually went to an administrative unit just to kind of show the complete experience and i selected one you'll notice in here if i do roles and administrators these are the roles that are applicable to administrative units well it's only when i pick one of these for example let's kind of pick one notice when i have the role settings it's kind of the same as the pin i have that set of options and that's how i can do the assignment administrative units i need an azure id premium license and actually be able to use that so now that let's see what the end user experience is so now i'm i'm good old clark kent and i can go to my azure ad privilege identity management now i can look at my current roles and i can see my kind of active assignments so right now i'm kind of an intune admin and i'm an authentication administrator on the testing administrative unit but i can see hey look i have these other roles available to me i can also see if i had expired assignments i'd be able to go and kind of request to have that renewed but i can see hey look i've got a global administrator looks nice so i can say i want to activate this role so under actions on the far right i can say activate so i'm going to click activate and now i can say do i want to start it at some time maybe in the future and what is the duration now notice straight away i did not sign in with mfa so it's saying hey look before you can go any further i want a strong authentication because that's what i selected on the configuration so i'll say okay additional verification required and it's saying okay i'm going to do an mfa so it sent me a sign-in request i am now looking at my phone and it's kind of saying hey do you want to approve so you can see that very well please ask me to approve it so i'll hit approve smiling at it and it's now approved so i now have a strong authentication as clock so at this point now it's going to give me these options so maybe i don't need it now i needed a future time so i could say actually i'm doing these actions at this time i'm going to do it in advance or i'll do it now and i set the maximum to 3 but notice i can do it for a smaller window and i have to do a reason okay so i'm saying showing things for demo and i click activate so what it's now gonna do it's going through it's processing the request it's activating the role and then what it will actually do is a refresher the browser so don't have to log out and log in again which we actually used to have to do which is kind of a paint neck um it does some nice checks it's a much better experience than we had even kind of six months ago so it's going through and it's giving me that role so i now have these super powers to be a global administrator okay so that's done and now if i actually go and look at my active assignments now you can see i'm a global admin so now i would go and do global admin things i have those permissions when i'm done notice if i finish early i don't have to just leave those permissions i can actually come into here look at my active and deactivate i just hit deactivate the bottom and now it's removing so it's doing the opposite now and it's saying hey deactivate role was successful and if i hit refresh it's taking it away from me it's eligible i could activate it again but now it's actually been taken away it's gone and back as my user i can actually go and look at my audit history and then i can see the full track say hey um okay all the different things that have been performed for me hey look 910 oh 909 add member to roll activation oh adventure showing things for demo i can see the reason so i have this kind of full audit trail for me as the user to see what i'm doing as an administrator if i go to my azure ad pim and i just go to kind of my azure ad roles and look at kind of resource audit i can see the same information okay so there was a clark kent over here oh they elevated because they were showing things for demo so i have that full tracking of exactly what's being done so great and that's my azure id and notice we had that both the overall tenant and i could do it for the administrative units as well i can have a defined scope then we have the azure roles now remember azure roles these are all users i can assign it to groups we have all these different levels to how we're actually going to manage it so one of the things we actually have to do with azure is find the resources first so the first step for azure is discover stuff do i discover things below subscriptions do i want to go and discover the management groups and then we have to pick well what scope do i want to assign the role actually at as a key point by default we'll just see subscriptions but i may want to do it at a lower level than that so if we jump over and now i'm just going to go back over to my pim area and if we go all the way back to the beginning now we have kind of azure resources so i'm going to pick azure resources and notice it's got this option to discover resources so if i hit that i'm going to say what do i want to discover now i've already discovered all of my subscriptions but notice this is super important resource type i can change this to say hey i want to discover management groups as well now i've done that as well which is why if i do resource state i managed it's not showing anything if i do all then it will actually go and find my management groups so you have to go and discover them and then you say select them and say manage resource now i can still do direct assignments at the management group the subscription the resource group level it's simply bringing it to the attention of pim so pim can start doing things as well so don't be scared by the fact that it's saying hey bring this under pin management i can still manage it using the direct identity and access management as well so now i'm ready to actually grant a role now by default i would select a subscription i want to give this role a subscription level but maybe i don't maybe i want to give a role at a resource group level so all i do is i change the resource type here to the type of resource i want to grant it to maybe i want to grant it to management groups maybe i want to grant it to resource groups maybe i want to show a whole bunch of different things maybe even resources so i would select well what is the object the scope i actually want to do this role assignment to so maybe for example i'll assign it to the resource group canada so i select the scope that i want to assign the role at don't select the subscription if i want to do it to a resource group so i'm going to select resource group canada so i am now managing pim at that level i am now focused on this particular resource group so any settings i do any assignments i do and now for that resource group i brought that scope um into my focus within pim so now it's going to look really exactly the same once again i can see what are all of the different roles and i'll see a lot of them all the different azure roles and once again if i have custom roles they're going to show as well so over here for example i have my custom vm read and run command role that's there and once again for all of these things um i have settings i can kind of edit hey what's the activation time um justifications am i allowing permanent eligible am i allowing permanent active what are the time durations this is exactly the same screen as we saw before and then all i'm essentially doing at this point is i can add an assignment exactly the same way we saw before hey i'm giving this role in this case it's the virtual machine contributor at this scope so it's this resource group to this target so again i can select a member or kind of group at this point it's all the groups it's showing because for azure resources these can be synced groups they can be dynamic it does not care it's far more flexible so i would select a user and kind of click add assignment and that's that's really it now if i actually jump up a level and this time actually go and look at my dev subscription for example and look at assignments well once again we can see good old clark kent has a direct assignment over here so i've actually gone look at my roles again so this is for the subscription scope if i go and look for example at my contributor i can see clark kent has that right to be eligible for that and that was about that extend option if it was been kind of 14 days of expiring i could extend it and make it for a longer period of time okay so let's let's try that so once again i am clark kent and i i want to use this now before i do anything else if i was just to look at the subscription and i go to access control i can view what is my access view my access and right now i have network contributor and reader they are my assignments so i'm going to jump over to pim i'm going to go to azure resources and again i remember i pick the scope so i know i've been given a role at subscription level i would pick the subscription um if i knew i'd been given a role a resource group i would change the resource type i would pick the resource group and elevate to that so i'm going to pick my subscription i can kind of see my roles and there's contributor so i'm going to say activate it once again i could do a future time notice it's not prompting me to mfa anything like that i already have a strong authentication this can be up to eight hours i'm just gonna say one and a half a reason um deleting bruce wayne's storage account and activate clark kemp would never be that immature but absolutely could could kind of go and do those things and now once again it's going through it's validating that the activation actually worked i have that new token i have those capabilities and then it will refresh my browser so i can go and do those new things so this was actually sort of going through i'm going to kind of let that finish so now i've as the user gone in and i'm elevating up for whatever that target is in this case it's the description i'm going to have that contributor role for that period of time and then after that it automatically will get removed from me so i think that's it's going to see so it's still validating it's taking its time for some reason but essentially that that would kind of go through and ordinarily be successful obviously because i'm demoing it it's going to do something strange i think if i close that it probably will do something bad let's refresh that i don't know if that actually works so we can always check if it worked remember so firstly i can see is it an active assignment and it's not so i actually don't think that worked for some reason let's try and do that one more time test maybe because i was saying mean about bruce wayne bruce wayne put in some custom code to stop that actually happening so it's already exist so it was kind of working behind the scenes if i refresh now so it didn't refresh the browser though because i kind of killed that window so now let's see nope it's still doing something strange okay so now it's actually showing as i've got my contributor over here notice i could deactivate i could also say any kind of pending request that i had outstanding but at this point i have that role remember i could also just go to kind of at any of the levels so i jump out of this for a second if i just went to my pim went to azure resources over here but there's also kind of my roles up here if i go to my roles i could see all of my azure resources both at subscription and resource group levels and i could just activate directly from there i don't actually have to go to the sub or the resource group from that main kind of level i can just say hey i'm in pim what are my roles i want to look at my azure resource roles and i can activate it from here but that is now activated i have kind of that subscription level and i can confirm that because if i go back to the subscription and i go back to that kind of identity management and say what is my access so i have clearly angered the demo gods by doing that cancel and it's actually put it in a bad state i don't think it's actually going through properly so we'll actually try one more thing normally that would show that's never happened before but obviously because i'm trying to demo it that's going to break if we go back to my roles and look at the azure resources notice i do also have this kind of contributor for management central us if we activate that one once again it's now validating the request i could do it for a time we'll say test activate so now it's activating at that management group level that central us it said it succeeded it's now doing that validation the activation is successful and then hopefully i'll kind of get that uh confirmation let's say strange is happening on the back end of azure right now i'm trying to demo and it's stopping all of these actually working but it's going through it's doing that validation and then i should get that permission so that that's kind of how it should work and just like all of the others i can kind of bring that back and revoke it if i need to if i finish kind of early i'd be able to go and see so this one's taking a long time as well uh maybe they're saying strange happening on the back end at the exact moment i'm trying to demo this thing we saw the azure ad ones work azure ones for some reason are doing something strange right now but i'm going to carry on because there's one other way i might be able to show this so the other thing we actually have remember is remember i said we can assign roles to groups this special cloud group that is assignable to role i can assign it both azure ad roles and azure roles at a certain scope so the other thing we can now actually do in pim is group management as well as either an owner of the group or a member of the group the idea being that i can now kind of elevate up to be added to the group as a member and that would actually give me all of the roles assigned to the group and the benefit here is imagine i need three azure ad roles and four azure roles rather than have to elevate up to each individual role well now if i just assign all the roles to a group i can just elevate up to be a member of the group or add someone to the group for a time bombed window and i get that whole combination of roles in one go so this ability to actually do the groups is a very powerful feature so let's jump over so let's see if that actually worked for bruce quickly so let's see what my active assignments are okay so that seems to imply that that actually worked so i've got the contributor at the resource and it's actually showing at the subscriptions let's just look at both of those one more time so if i look at my subscription and look at the access control and view my access oh it now worked okay so it's just a timing issue it's a little bit upset it's sunday morning so there there we can see it at the subscription level now obviously at the resource group level i'm going to have it anyway because it would get inherited from the subscription but what i should still see is i'll see it maybe twice let's have a look because i'll see it inherited so i'll see my role access so here we can kind of see it twice so i can see well hey yeah i've got it because it was inherited from the subscription but i also have it directly on this resource group so i can see that pim actually did go and take effect thank goodness and if i'm finished early my roles azure resources active and i can go and deactivate either of that resource group and or the subscription as well so that's it working for there so let's go back to that group idea so i'm going to now go back to john the administrator now again i've created when i did my new group i created it as a security group i gave it a name and i said yes azure ad roles can be assigned to the group so i have one of these and i called it to keep going down it was my pim cloud group now so i had to manually add people into this and it actually has some roles it has three azure ad roles says application administrator this compliance administrator this billing administrator and straight away you can see from here i have this kind of privileged access so from this kind of privileged access here i have the settings and it's going to look very familiar i can have settings for be a member or an owner if i click member well same thing as before so now what people can do is i can either make them in the group an active assignment for a time bomb window said get all of the roles for the group or they can elevate up to become a member for two hours or four hours when they need to do something and get all of the roles for that particular group okay now i can also add azure roles to that group so i kind of showed those three roles that i've assigned just here but i can also do things for azure so that pim cloud group in exactly the same way i think i did one at the subscription level let's have a look so if i look at access control and role assignments there's that pim cloud group i also made it contributor for the subscription so now this single group has all of those things and what i actually did from there if i actually jump back over so firstly i can go to pim as the administrator if i want and i can do privileged access groups there's my group and once again i would do an assignment so when i add an assignment so i can see john is permanently kind of in there eligible is clark and bruce wayne so i just did add assignment i would select is it a member or owner typically it's gonna be member and then who i want to add to that so i'll see my various users a selected one and then let's just do a different user and then once again eligible or active can they elevate up to be a member of the group or are they always in the group for whatever this time window is going to be so now it was clark okay so i'm back in kind of my roles i mean pim my roles and i can see access groups now again remember before i do that if i look at my active assignments for azure ad i kind of have these two azure ad roles and if i was to kind of look at the subscription and if i was to look at my access control um it's not faded out yet but that that shouldn't be there it's just been a bit slow today um but i don't have that role anymore that should have been kind of taken away i think things are just it's again it's early on sunday so now if i go to pim my roles i can see i've got this eligible to be a member of pim cloud group i'm going to activate that now what right now at this moment if i was to look at that group so i go to my pim cloud group there are no members actually in the group so we go to members it's empty so now it's clock i yeah i want to elevate up um do lots of things um to bruce account so it's going to activate so now i'm being added as a member of that group and no matter what happens i'm not going to cancel that because obviously it's really done some strange things and behind the scenes i think what might be happening with that contributor is obviously i tried different ways if i go and actually look maybe i've got other assignments which is why i still have that contributor role but i will just let that finish but what it's now going to do is add me into that group so that validation was successful and now it completed successfully and it's going to refresh in three two one boom so i now have that as an active assignment i'm a member of the group so now straight away if i go to my azure ad roles and look at my active assignments i have three new ones because i'm a member of that group now again i have a little bit of an issue showing you the subscription because it was already there but i would also now be given access i would have contributor because i'm granted it via that group membership if i go and look at the group now clark is now a member of it so i have got the azure id roles i've got the azure permissions from that group membership and once again if i look at the audit logs a i could look at the audit logs just for kind of the group i can see all the things happening so clark hey was added to the group because they kind of did the various elevations around that so that's just now i'll add member to group i can see the details of that actual thing i could add a higher level if i just go to pim and again go to let's say the privilege groups select the group here again you have the resource audit so there again i can get the detail of hey do things to bruce's account and as the user if i'm kind of finished early once again i can go into my roles my active assignments um okay that's azure id roles great but i can go to my groups i don't need this anymore i'm going to deactivate so now it will remove me from the group so it's going to actually go through and if i jump back over here again or maybe because you know this actually i've got it selected here to the members it's gone and my permissions now would have been reduced again if i go to azure ad roles i'm back down to my initial two look at my azure resources so i shouldn't have any active assignment but wait a minute so look i'll see lot yeah yeah so the reason i'm still showing is because when i tried that second attempt i think it left one behind so that's why i was still showing as contributor so now that should have been deactivated it's taken a second i think but i believe that will go away and then what should happen again i messed it up a bit because i was impatient but oh there you go it's gone so now i'm back down to just kind of having that very basic assignment and just to prove that it does work i guess one final time let's go back to my roles back to my group i'm gonna activate right now because i want you to see i do get the azure roll as well test 493 and activate so i'll keep the azure id rolls back i'll get that azure roll and the subscription back again i really want you to just see that to prove i'm not making this stuff up and so that's a really good way of kind of showing that whole combination of roles so if there are multiple roles i need to do my job be it mobile azure id roles or multiple azure roles rather than me having to elevate up for five different things if i give it to the group and then i can just elevate up to become a member of the group i kind of get that whole package of them so let's assume that worked so my active assignment is i'm a member so now if i go back to my subscription and i'm kind of crossing my fingers and toes it's not i think it's just a delay i i think it is working it's just it's not instant i i think there's a few oddities happening honestly my role assignments i mean there's the pym cloud group i definitely am a member of that so i definitely have the permissions i could go and do various things i think it's just lagging a little bit honestly um i think that's all that is i don't quite know why it's lagging quite this much today but you kind of saw i did get that permission and back again um the final thing notice when i do have these rolls if i go back to pim for a second i'm not going to touch it i'm going to give it a minute or something but on my rolls notice i kind of have the active if i had an assignment that had expired within kind of 30 days it would show here i could actually click here to renew it and it will then send a request to the administrators they could approve it and i would get the role again if i have kind of these eligible assignments and it's expiring in 14 days i'll get an option to extend so at that point i'll actually be able to go and extend it and again the administrator could approve it and i'll get it for another period of time so let's refresh that again so that that's currently there it's them running one more time look at my subscription access control and there it is okay so it's just a timing thing but there it is i have that and it's because i'm in that pym cloud group so thank goodness that eventually worked and again as a good practice if i finish doing the various roles don't just leave it there because it's good for eight hours if i'm finished doing the task i would come in and say hey i've done that job i'm going to deactivate it and i'm just kind of done and with all of those things don't forget there's a full audit trail of really everything going on within there so i can see my audit history but i can also for all of these different things let's say those privilege access groups i can select the group i could see the auditing around those various things so i can see elevations up i can see it removed i can see how test 493 was performed so i can see everything actually happening there so there's that full audit trail i can leverage now i showed all of this through the portal i can absolutely do powershell for example there's a whole bunch of azure adms privileged role assignments commandlet to manage this thing to manage the various um elevations so i can do all of it through there as well but but this is it i mean that's the whole point of this solution it's about just in time but also making sure i don't just get this massive collection of roles build up excuse me it actually lets me time bomb them let me get them just in time full auditing notifications i would be getting emails popping up when i'm doing those privileged things i could add an approval if i wanted it all those mfa type capabilities don't forget about access reviews to actually be able to go in and check well hey do they still need this and they all kind of work together but that's pim i hope that was useful until next time take care you

Info

Channel: John Savill's Technical Training

Views: 16,247

Rating: 4.9719625 out of 5

Keywords: azure, azure cloud, azure ad, jit, just in time, azure ad privileged identity management, privileged identity management, roles, group management, az500, az-500, sc-300, sc300, sc-900, sc900

Id: gccgIkR8_a0

Channel Id: undefined

Length: 56min 41sec (3401 seconds)

Published: Tue Mar 16 2021