Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| azure:az-500:alt:privileged_identity_management [2022/07/25 14:16] – mmuze | azure:az-500:alt:privileged_identity_management [2023/02/03 15:39] (current) – [Privileged Identity Management] mmuze | ||
|---|---|---|---|
| Line 9: | Line 9: | ||
| > To use PIM, you need one of the following paid or trial licenses: Azure AD Premium P2, Enterprise Mobility + Security (EMS) E5, or Microsoft 365 M5 | > To use PIM, you need one of the following paid or trial licenses: Azure AD Premium P2, Enterprise Mobility + Security (EMS) E5, or Microsoft 365 M5 | ||
| + | > For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, | ||
| * PIM is about providing just-in-time (JIT) privileged access to resources. | * PIM is about providing just-in-time (JIT) privileged access to resources. | ||
| * PIM requires a P2 license for Azure AD tenant for all users that use PIM features, except for Global Administrator users (they are exempt from licensing requirement). | * PIM requires a P2 license for Azure AD tenant for all users that use PIM features, except for Global Administrator users (they are exempt from licensing requirement). | ||
| + | * To initially setup PIM a Global Admin needs to click the //Consent to PIM// option in the portal. | ||
| + | * To configure PIM for a user requires the Global Admin role. | ||
| + | |||
| * The activation period can be between 0.5 and 24 hours. Specifies the duration the role can active. | * The activation period can be between 0.5 and 24 hours. Specifies the duration the role can active. | ||
| * Access is time-bounded. Specify a start and end date for when the role can be used. The maximum duration is 1 year. | * Access is time-bounded. Specify a start and end date for when the role can be used. The maximum duration is 1 year. | ||
| * One or more approvers can be designated to activate privileges. | * One or more approvers can be designated to activate privileges. | ||
| - | * Require | + | * PIM requires |
| * See justification for why a privilege role was used | * See justification for why a privilege role was used | ||
| + | |||
| + | * If require MFA is configured as a requirement for PIM a user will be prompted for MFA even if they are not setup for it. **Need to confirm** | ||
| + | * Even if a user is in the approver group they cannot approve their own requests. **Need to confirm** | ||
| + | * If a user's assignment type is **Active** then they are not subjected to PIM requirements (e.g. MFA) since they are already assigned the permission. | ||
| + | * If a user is both **eligible** and **active** they cannot activate the a role because it is already active for them. | ||
| + | |||
| + | ====== Alerts ====== | ||
| + | These are alerts PIM can generate. | ||
| + | * Roles don't require multi-factor authentication for activation | ||
| + | * Eligible administrators aren't activating their privileged role | ||
| + | * Potential stale accounts in a privileged role | ||
| + | |||