Activating Admin Superpowers
To help keep unwanted privileges away from bad actors, utilizing a Privilege Identity Management (PIM) can help to reduce the attack surface of users and the roles they are assigned. In a typical organization, users are assigned roles indefinitely and have them when they are using them, along with when they are not. If a user is to be compromised, all the roles assigned to them may be leveraged against the organization. With the help of PIM, the likelihood of a compromise occurring while a PIM role is activated is greatly reduced and roles can be assigned just in time, right when they are needed.
This guide will accomplish the following:
- View Eligible PIM Roles
- Activate a PIM Role
- Deactivate a PIM Role
Applicable Scope: Users
Required Group Membership: N/A
This work instruction applies to organizations that have an Azure CMMC Deployment or for environment utilizing Entra ID P2
View Eligible PIM Roles
- Navigate to the PIM Activation – Azure Active Directory portal, this link could also be found in the Company Links folder.
- If not already selected, click the Groups item on the left. On the Eligible Assignments tab, the available groups which you may elevate access into will be listed.
Activate a PIM Role
- Navigate to the PIM Activation – Azure Active Directory portal, this link could also be found in the Company Links folder.
- If not already selected, click the Groups item on the left. On the Eligible Assignments tab, the available groups which you may elevate access into will be listed.
- Select Activate next to the role which you would like to activate.
- An activation pane will appear. By default, the maximum allowed time will be shown. If the role is only needed for a limited time, say 2 hours, set the duration to reflect this by dragging the Duration slider. Along with adjusting the duration, enter a description of why the activation is being requested in the Reason box. Activation may be needed in accordance with a procedure or work instruction that requires the selected role. Once finished, click Activate.
- The role will be added to your account for the provided duration. Generally, the role assignment will go into effect in less than 5 minutes. It is recommended to close any currently open internet tabs and re-login to consoles that may need the permission. Once the task has been completed, you may let the role expire or follow the Deactivate a PIM Role section.
Deactivate a PIM Role
- Navigate to the PIM Activation – Azure Active Directory portal, this link could also be found in the Company Links folder.
- If not already selected, click the Groups item on the left. From there, click Active Assignments tab. All active assignments will be shown. Click the Deactivate button next to the role which should be deactivated.
- A separate prompt will appear; click Deactivate. The role will be deactivated, and any permissions will be revoked.
Need Assistance?
Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.