Mastering Identity and Access Management with Microsoft Azure

上QQ阅读APP看书，第一时间看更新

Protect your administrative accounts

In this section, we will use Azure AD Premium P2 PIM to protect an administrative account in a quick intro.

Open https://portal.azure.com as admin@domain.onmicrosoft.com to start the configuration.

Click All Services and choose the Azure AD Privileged Identity Management.

Now, we need to Consent to PIM to use the service:

Privileged Identity Management - enablement

You will need to verify your identity and provide your preferred security verification option, as you can see in the following screenshot:

Azure MFA onboarding

If you already use the Microsoft Authenticator App on your mobile device, you can also register the mobile app.

Finish the verification process and click Consent—proceed:

Consent to finish the initialization

Next, we sign up under Azure AD Roles, so that users can enable Azure AD roles. Click Sign up PIM for Azure AD Roles to activate the functionality:

Azure AD roles - PIM sign-up

Now that the feature is enabled, we can assign the roles to our users.

Click Assign eligibility to start the task:

Role assignment procedure

Click the Global Administrator Role, view the actual members, and add your test account to the role:

User assignment to a role

View the expected result:

New eligible user assigned to the role

Let's test our configuration by opening an InPrivate browser session; open https://portal.azure.com and log in with your own test account. Click All Services and choose Azure AD Privileged Identity Management. Choose My roles and activate the Global Administrator role for your account:

Role activation procedure

Next, you need to verify your identity. Follow the process, register, and verify your account. You need to complete the registration process just once:

Starting the verification process

After the registration and verification processes are finished, you can Activate your role:

Role activation

Provide a reason for your role activation. You will note that the role is limited for 1 hour and that you can define a custom activation time. Later in the book, we will configure different roles and features:

Activation options, such as Custom activation start time and Activation reason

Verify that your role is activated. You have successfully requested your Global Administrator role for the first time over Azure AD PIM. This is very useful so that high privileges are not permanently assigned to your account:

Active roles overview

We always recommend that you leave one Global Administrator permanently assigned, and that no Azure MFA is required to use the account. Use this account as a Breaking Glass account if the Azure AD PIM or MFA service is not available.

Next, we will configure user and group-based application access in Azure AD.