Let’s continue our series on Azure Landing Zones. In this post, let’s explore some thoughts on how to implement privileged identity management (PIM). If you want to follow along, here are links to the previous posts:
Azure Active Directory Privileged Identity Management (PIM) provides enhanced security for enterprise-scale Azure landing zone deployments by enforcing the principles of least privileged access and authorization best practices. With PIM, administrators can restrict access to critical resources and limit the amount of time users have elevated permissions.
PIM allows administrators to define, manage, and monitor the use of privileged identities within their organization. The tool offers features such as time-bound access, approval workflows, and just-in-time access, which helps to mitigate the risk of a security breach caused by an insider attack or a compromised account.
In contrast to traditional Role-Based Access Control (RBAC) approaches, PIM offers a more granular and dynamic way of managing privileges. RBAC assigns roles to users based on their job function, but does not take into account the specific tasks that users need to perform. PIM, on the other hand, allows administrators to assign privileges only for the specific resources and tasks that users need to access, reducing the risk of accidental or malicious misuse of privileged access.
PIM is highly beneficial when doing an enterprise-scale Azure deployment because it helps to ensure the security and compliance of the deployment. The following are some of the key benefits of using PIM during an enterprise-scale Azure deployment:
Least Privileged Access: PIM enforces the principle of least privilege, which means that users are only granted the minimum permissions they need to perform their job tasks. This reduces the risk of a security breach caused by a user with elevated privileges.
Authorization Best Practices: PIM follows authorization best practices, such as time-bound access and approval workflows, to minimize the risk of a security breach caused by a compromised account.
Improved Visibility: PIM provides administrators with visibility into who has been granted elevated privileges and when they were granted. This makes it easier to track and monitor access to critical resources.
Enhanced Compliance: PIM helps organizations to meet regulatory and industry standards, such as PCI DSS, by ensuring that sensitive resources are only accessible by users who have been granted the necessary permissions.
Better Risk Management: By enforcing least privilege and authorization best practices, PIM helps to mitigate the risk of security breaches, making it easier for organizations to manage risk and maintain the security of their enterprise-scale Azure deployment.
PIM is a pretty complex topic, so I’ll just rapid fire some thoughts here.
Firstly, I prefer to use AAD PIM Groups rather than the Azure Roles feature. It seems like a better/cleaner path and also allows for plugging in other PIM solutions in the future (if you plan on using random 3rd parties).
Secondly, I like the idea of granting the same Azure role at different levels of the hierarchy to different AAD groups. This way, administrators can not only chose the amount of permission they need, but they can also chose where in the hierarchy it is applied. If they know they only need to access a certain subscription to perform their work, they can limit their access appropriately by only requesting the appropriate AAD Group. While this strategy may lead to many more AAD groups being created, I think the benefits are worth it.
In short, Azure makes using PIM pretty simple, and it should really be turned on everywhere, for every use case. You can make the transition easy by not requiring “approvals” to assume the correct roles, and you can still take advantage of all the other benefits it provides.
 
Shamir is a Microsoft Most Valuable Professional (MVP – Azure) and has extensive experience building solutions in the cloud, from strategy to deployment to automation