Do you sometimes lose sight of how many Global Admin accounts are assigned within your Azure AD tenant?
Is it possible that some administrators do not require Global Admin permissions to perform their daily activities?
Is it possible some administrators or trusted third parties have high privileged Azure AD accounts no longer required?
Are some of your high privileged Azure AD accounts permanently assigned, linked to mailboxes, or shared generic accounts?
Are you lacking an audit trail and approval process for the use of high privileged roles in your tenant?
If the answer to some of or all the above questions is yes, then your tenant could be exposed to a higher risk of a serious breach or privileged users inadvertently impacting a sensitive resource.
A malicious actor could gain “Initial Access” to accounts with techniques such as phishing, a malware exploit, brute force or password spray attack, leaked credentials, exposing weak credentials, exploiting accounts without MFA or weaknesses in MFA and more...
Once a privileged account has been compromised then confidential data may be exfiltrated, a ransomware payload could be released, spear phishing attacks instigated and many more exploits which could lead to data loss, or financial & reputational damage.
What is Privileged Identity Management, and what can it do to enhance my Azure AD security posture?
Privileged Identity Management (PIM) is an Azure AD security component designed on the principles of just-in-time access for managing, monitoring, and controlling access to privileged accounts.
Key features:
Accounts can be assigned to privileged roles as Eligible rather than permanent giving just-in-time access to Azure AD and resources in the tenant.
Assign time-bound access to accounts for automatic start and expiry of privileges.
Require approval and justification to activate a privileged role.
Enforce MFA to activate a role.
Conduct regular access reviews to ensure all users still require their roles.
Review audit history and who in the organisation has privileged roles assigned.
Performanta recommends you combine the use of PIM based on the principle of least privilege.
Ask yourself- do all your administrators need Global Admin to manage the environment?
Microsoft provides a substantial number of roles designed for almost every single administrative activity.
Assigning roles specifically for an administrator’s job requirements and making those roles Eligible helps reduce the attack surface and the chance of an administrator making any unauthorised changes.
The amount a time a role can be activated before having to reactivate can also be changed, this means you can set strict time limits on the high privilege roles and more relaxed time limits on BAU roles for example. This helps reduce behaviour such as administrators always elevating to Global Admin for convenience.
The use of Privileged Access Groups can facilitate the grouping of roles in which administrators are Eligible by activating into the group which has roles assigned directly to it. This can make it more convenient for managing multiple users and activating multiple roles.
We recommend you use PIM accounts on the principle of separation of duties.
This requires a dedicated separate account for each administrator which should not have a mailbox attached or be a shared account, have a very strong password saved in a password manager, strict session controls, no MFA exceptions and utilising Passwordless authentication methods.
Which licence is required for Privileged Identity Management?
Azure AD P2 would be required as a minimum, only for the administrative accounts.
Final thoughts. . .
Privileged Identity Management is a great feature that enables you are remove nearly all permanent administrative accounts in Azure AD. (There may be an odd exception in the case of break glass or service accounts)
Using features such as time bound access, email activation approvals and requiring MFA in addition to using least privilege and separation of duties vastly reduces that attack surface for privileged roles and risk to the business of a compromise.
Providing justifications, using access reviews and notifications helps to keep track of privileged roles and what they are being used for.
Privileged Identity Management is one part of the jigsaw and used in conjunction with a sound Conditional Access policy setup, and the array of other security features across the Microsoft 365 stack, it will help create a defence in depth approach to securing your tenant.