Edward Walton, Cloud Solution Architect
In this month’s community call, we’ll be covering “just-in-time” identity management and administration in Microsoft Azure Active Directory (AD) Privileged Identity Management (PIM) and Privileged Access Management (PAM) for Office 365. We’ll show how it can help partners and their customers prevent account and access breaches associated with Global Administrators and other provable-level accounts in their Azure environment using Azure PIM, and how it can also prevent unauthorized spending in your Azure subscription.
This post is intended to help clarify questions regarding the positioning and complementary value unlocked by these two solutions. We’ll be following it up with a second part offering additional information in the coming weeks.
Azure Active Directory is Microsoft’s cloud identity and access management solution that helps organizations secure and manage their user identities across employees, partners, and customers.
Securing admin access is a critical first step to help protect business assets in a modern organization. Privileged accounts are accounts that administer and manage IT systems. Admin privileges, however, are granted easily and often forgotten. Cyber attackers target these accounts to gain access to an organization’s data and systems. To secure privileged access, you should isolate the accounts and systems from the risk of being exposed to a malicious user. This can include global administrators of Office 365 and Microsoft Online Services, Azure subscription administrators, and users who have administrative access in VMs or on SaaS apps.
Azure AD Privileged Identity Management (PIM), a solution that we announced at Ignite 2016, is intended to help solve this problem. Azure AD PIM is a part of Azure AD Premium P2; since the announcement, we have added capabilities to extend this protection to Azure resources as well.
At Ignite 2018, we also announced the general availability of Privileged Access Management (PAM) in Office 365, a solution within Office 365 E5 that extends the promise of Customer Lockbox to ensure zero standing admin data access to Office 365 customers.
Azure AD PIM and Privileged Access Management in Office, together, provide complementary capability to protect privileged access to our customer organization’s resources. The approaches and scope of admin activity that is secured is different but together, help to comprehensively secure privileged access to corporate data.
Positioning Azure AD PIM and PAM in Office
What does Azure AD PIM enable for my customers?
With Azure Active Directory (AD) Privileged Identity Management, you can discover, manage, and monitor admin access within your organization. This includes access to resources in Azure AD, Azure Resources, and other Microsoft Online Services like Office 365 or Microsoft Intune.
Azure AD Privileged Identity Management helps your organization:
- See which users are assigned privileged roles to manage Azure resources, as well as which users are assigned administrative roles in Azure AD
- Enable on-demand, just-in-time administrative access to Microsoft Online Services, including Intune, Office 365, and Azure resources of subscriptions, resource groups, and individual resources such as Virtual Machines
- See a history of administrator activation, including what changes administrators made to Azure resources
- Get alerts about changes in administrator assignments
- Require approval to activate Azure AD privileged admin roles
- Review membership of administrative roles and require users to provide a justification for continued membership
What does PAM enable for my customers?
PAM enables task-based access control and previews an approval workflow that’s scoped to your high-risk tasks within Office 365. For example, standing admin privileges enable admins to execute tasks that can provide unfettered access to organizational data, such as a journal rule, which can copy emails to a shadow mailbox and exfiltrate sensitive data undetected.
With Privileged Access Management in Office 365, access requests must be approved by an authorized set of approvers. Access is then time-bound for a limited duration—referred to as just-In-time (JIT) access. Requests for access can be automatically or manually approved. Equally importantly, the activity is logged and auditable, so both privileged access requests and approvals can be reviewed and seamlessly provided for internal reviews and auditor requests.
How are they different and/or how do the two solutions complement each other?
Azure AD PIM and PAM in Office 365 together provide a robust set of controls for protecting privileged access to your corporate data. With Azure AD PIM, customers can secure admin roles to ensure protection across Office 365 and Azure clouds. PAM in Office 365 can provide another granular layer of protection by controlling access to tasks within Office 365.
If a customer already has PAM in Office, do they need Azure AD PIM?
Yes, especially if the customer is using multiple services beyond Office 365, or if the customer has multiple administrators beyond helpdesk administrators, which is extremely likely in the case of a large or even medium-sized organization.
Managing privileged identity and access was always a security priority, but given today’s threat landscape, the ability to detect and mitigate threats that arise from unmoderated admin access is even more important. As Azure AD helps manage apps across cloud and on-premises environments, Azure AD admin privileges become the keys to the kingdom that, once acquired, could cause widespread mayhem. Azure AD PIM not only helps organizations detect and manage these admin privileges, it also helps enable just-in-time and scheduled activations of these privileges to their global workforce as and when needed. With Azure AD PIM for Azure resources, customers can now extend this capability to their Azure resources thus ensuring secure administration across Office, Azure AD, and Azure cloud.
If a customer is already using Azure AD PIM, do they need PAM in Office?
Yes, customers do want the ability to have finer-grained delegation within Microsoft Exchange Online given the amount of organizational data within Microsoft Office. With Privileged Access Management in Office 365, administrative users now have the ability to request a specific task within Exchange Online, without permitting the user to request a role that would allow them to manage other features of the service. For example, a customer with an outsourced IT helpdesk may wish to require approval each time a vendor who is part of the outsourced help desk staff wishes to make a change to their Exchange Online configuration. These users can request elevation, but once elevated, only perform that specific task, and nothing else. Once the access expires, that user can no longer make further changes.
For more in Azure AD PIM and PAM for Office 365, join our community call on Tuesday, November 20 at 10 am PT. The call will cover all the latest info and updates about keeping privileged access a top security priority for Microsoft partners and customers. Be sure to keep an eye out for Part 2!