I am often asked by clients how they can provide additional levels of controls to their Security and Compliance privileged roles to mitigate the risks of excessive, unnecessary, or misused access permissions to important resources.
Microsoft recommends the following best practice for managing privileged accounts:
- Use least privileged access
- Turn on multi-factor authentication for all your administrator accounts
- Use Privileged Identity Management to grant just-in-time access with optional approvals
- Configure recurring access reviews to revoke unneeded permissions over time
If you have Azure AD Premium 2 licensing you can use Azure AD Privilege Identity Management (PIM) to provide just-in-time access to privileged admin accounts. PIM only provides just-in-time access to Azure AD and Azure privileged roles. The issue with Security and Compliance roles is that they are managed in Security and Compliance admin Centers and not in Azure AD.
So how can we protect Security and Compliance roles with just-in-time access to mitigate the risks of excessive, unnecessary, or misused access permissions to important resources?
Read on to discover how to use Privileged Access Groups in PIM to indirectly provide just-in-time access to your Security & Compliance roles. In addition, this process will work with other non-Azure AD roles such as roles from Exchange or SharePoint.
What is Privileged Identity Management?
Privileged Identity Management (PIM) provides a time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to important resources.
PIM enables you to allow a specific set of actions at a particular scope. Key features:
- Provide just-in-time privileged access to resources
- Assign eligibility for membership or ownership of privileged access groups
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multi-factor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
PIM provides just-in-time access to Azure AD and Azure privileged roles. The issue is the Security and Compliance roles are managed in Microsoft 365 Compliance and Security Centers and not Azure AD, so PIM cannot assign just-in-time access to these roles. Luckily PIM has a new feature called Privileged Access Groups that we can use.
What are Privileged Access Groups?
Privileged Access Groups provides just-in-time access to Security Groups and Microsoft 365 Groups. Importantly Security and Compliance roles can be added as a member of a group so when we apply just-in-time access to a group we are also providing just-in-time access to the Security and Compliance roles.
As the diagram shows below when a user is assigned just-in-time membership to the group they will automatically inherit the security and compliance roles assigned to the group. Once the assignment expires, the user will no longer be part of the group, and importantly lose access to the privileged roles.
Just follow these four steps to set up Privileged Access Groups and just-in-time access for your security and compliance roles.
Step 1: Create an Azure AD group to manage Compliance role assignments
Create a Security Group or Microsoft 365 Group with settings as follows:
In my scenario, I am creating a new Security Group called ‘Compliance PIM’.
Make sure you set ‘Azure AD roles can be assigned to the group‘ to’ Yes‘. This setting allows privileged roles to be added as members of the Group; it cannot be updated after the group is created.
Do not add members to the group here as this would give users permanent access to the roles. We will assign users later using Privileged Access Groups.
Step 2: Use PowerShell to add the privileged role(s) to the group
The second step is to add the security and compliance roles to the new Security group called ‘Compliance PIM‘. It is not possible to add groups as members in the Security or Compliance Admin Centers; you can only add users to the roles. Therefore you must use PowerShell to add the group as a member of your roles.
In my scenario, I want to add three role groups to the’ Compliance PIM’ Security group.
- ‘Content Explorer list viewer’
- ‘Content Explorer Content viewer’
- ‘Compliance Administrator’
Connect to the Security & Compliance Center PowerShell using the latest version of Exchange Online V2.
$UserCredential = Get-Credential
#check which version of Exchange Online V2 (EXO V2)is installed
Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement
#Update EXO V2
Update-Module -Name ExchangeOnlineManagement
#import latest EXO V2 module
Import-Module ExchangeOnlineManagement
#Connects to Security & Compliance Center PowerShell
Connect-IPPSSession -Credential $UserCredential
Use the Add-RoleGroupMember to add the ‘Compliance PIM’ group to the three role groups.
Add-RoleGroupMember -Identity 'ContentExplorerListViewer' -Member 'Compliance PIM'
Add-RoleGroupMember -Identity 'ContentExplorerContentViewer' -Member 'Compliance PIM'
Add-RoleGroupMember -Identity 'ComplianceAdministrator' -Member 'Compliance PIM'
Use Get-RoleGroupMember to check that the groups have been added to the roles groups by checking the role group membership of each group.
Get-RoleGroupMember 'ContentExplorerContentViewer'
Get-RoleGroupMember 'ContentExplorerListViewer'
Get-RoleGroupMember 'ComplianceAdministrator'
In my scenario, the ‘Compliance PIM’ group is now a member of each of the three role groups. You also see the individuals that are members. In my scenario, ‘MOD Administrator’ is a member of the ‘Compliance Administrator’ role group.
You can also check the role group membership from the Compliance or Security Admin Centers.
Important. Do not use Azure AD to check role assignment, You cannot see which roles have been assigned to the groups in Azure AD. This is expected behaviour because the Security and Compliance roles are not managed in Azure AD.
Step 3: Add members that are entitled to use the Group
Important. Do not add members via the member menu option as this gives permanent access to the group, and therefore, permanent access to the privileged roles.
Members must be added via the Privileged access (preview) menu via the +Add assignments for Eligible Assignments. This way they are only entitled and are not granted standing permissions. They need to request access when they require time-limited access to the group.
In my scenario, Adele is added as an Eligible assignment to the ‘Compliance PIM’ group, so she can request just-in-time access to the group via Privileged Access Groups when she needs access to the Compliance roles.
Adele is shown as an eligible assignment in the Compliance PIM group.
Step 4: Configure the member role settings for the Privileged Access Group
The last step is to define the configuration for membership in the Privileged Access Group. This allows you to:
- Provide just-in-time privileged access to resources
- Assign eligibility for membership or ownership of privileged access groups
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multi-factor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
In my scenario I kept the default permissions shown below.
User experience: Activate privileged access group roles in Privileged Identity Management
My Roles in Privileged Identity Management lists the Azure AD roles, Privileged access groups and Azure resources that the user can activate.
To gain access to a group a user just selects Privileged access groups and selects the relevant group.
In this scenario, Adele needs to Activate the ‘Compliance PIM’ group so she inherits the three Compliance role groups:
- ‘Content Explorer list viewer’
- ‘Content Explorer Content viewer’
- ‘Compliance Administrator’
Adele is prompted to select the duration of membership; in my case, a maximum of eight hours. Adele is also required to provide a reason for the activation. Notifications are also sent if they are enabled.
Note. Details will vary depending on the member roles set for the Privileged Access Group.
An approval step is triggered if approval is required, otherwise, access to the group will be granted.
Adele is now a member of the ‘Compliance PIM’ Security Group for the next 8 hours and inherits the three Compliance role groups.
- ‘Content Explorer list viewer’
- ‘Content Explorer Content viewer’
- ‘Compliance Administrator’
After 8 hours access to the group the assigned roles are automatically removed.
Summary
In conclusion, PIM cannot provide just-in-time access to security and compliance privileged roles directly since they are managed in security and compliance admin centers and not in Azure AD. However, in PowerShell, we can add Security and Compliance roles as members of a Security Group or Microsoft 365 Group. Then we can use Privileged Access Groups to provide just-in-time access to the group and provide just-in-time access to the Security and Compliance privileged roles. In addition, this process will work with other non-Azure AD roles such as roles from Exchange or SharePoint.
Just remember that to use Privileged Access Groups needs Azure AD Premium 2 licences for the users in scope.
Please be aware that there may be a time delay between becoming a member of the group and getting access to the security and compliance roles. Microsoft is aware and are working to fix the issues.