Scenario
You have been asked to create a proof of concept that uses Azure Privileged Identity Management (PIM) to enable just-in-time administration and control the number of users who can perform privileged operations. The specific requirements are:
– Create a permanent assignment of the aaduser2 Azure AD user to the Security Administrator role.
– Configure the aaduser2 Azure AD user to be eligible for the Billing Administrator and Global Reader roles.
– Configure the Global Reader role activation to require an approval of the aaduser3 Azure AD user
– Configure an access review of the Global Reader role and review auditing capabilities.
Exercise 1 – Configure PIM users and roles
Task 1: Make a user eligible for a role
1. Sign-in to the Azure portal https://portal.azure.com/.
2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Azure AD Privileged Identity Management and press the Enter key.
3. On the Azure AD Privileged Identity Management blade, in the Manage section, click Azure AD roles.
4. On the AdatumLab500-04 | Quick start blade, in the Manage section, click Roles.
5. On the AdatumLab500-04 | Roles blade, click + Add assignments.
6. On the Add assignments blade, in the Select a role drop-down, select Billing Administrator.
7. Click the No member selected link, on the Select a member blade, click aaduser2, and then click Select.
8. Back on the Add assignments blade, click Next.
9. Ensure the Assignment type is set to Eligible and click Assign.
10. Back on the AdatumLab500-04 | Roles blade, in the Manage section, click Assignments.
11. Back on the AdatumLab500-04 | Assignments blade, note the tabs for Eligible assignments, Active assignments, and Expired assignments.
12. Verify on the Eligible assignments tab that aaduser2 is shown as a Billing administrator.
Task 2: Configure a role to require approval to activate and add an eligible member
1. In the Azure Portal, navigate back to the Azure AD Privileged Identity Management blade and click Azure AD roles.
2. On the AdatumLab500-04 | Quick start blade, in the Manage section, click Roles.
3. On the AdatumLab500-04 | Roles blade, click the Global reader role entry.
4. On the Global Reader | Assignments blade, click Settings icon in the toolbar of the blade and review configuration settings for the role, including Azure Multi-Factor Authentication requirements.
5. Click Edit.
6. On the Activation tab, enable the Require approval to activate check box.
7. Click Select approvers(s), on the Select a member blade, click aaduser3, and then click Select.
8. Click Next:Assignment.
9. Clear the Allow permanent eligible assignment check box, leaving all other settings with their default values.
10. Click Next:Notification.
11. On the Edit role setting – Global Reader blade, review the settings and click Update.
NOTE: Anyone trying to use the Global Reader role will now need approval from aaduser3.
12. On the Global Reader | Assignments blade, click + Add assignments.
13. On the Add assignments blade, click No member selected, on the Select a member blade, click aaduser2, and then click Select.
14. Click Next.
15. Ensure the Assignment type is Eligible and review the eligible duration settings.
16. Click Assign.
NOTE: User aaduser2 is eligible for the Global Reader role.
Task 3: Give a user permanent assignment to a role.
1. In the Azure Portal, navigate back to the Azure AD Privileged Identity Management blade and click Azure AD roles.
2. On the AdatumLab500-04 | Quick start blade, in the Manage section, click Roles.
3. On the AdatumLab500-04 | Roles blade, click + Add assignments.
4. On the Add assignments blade, in the Select role drop-down, select Security Administrator.
5. On the Add assignments blade, click the No member selected, on the Select a member blade, click aaduser2, and then click Select.
6. Click Next.
7. Review the Assignment type settings and click Assign.
NOTE: User aaduser2 is now permanently assigned the Security Administrator role.
Exercise 2 – Activate PIM roles with and without approval
Task 1: Activate a role that does not require approval.
1. Open an InPrivate browser window.
2. In the InPrivate browser window, navigate to the Azure portal and sign in using the aaduser2 user account.
NOTE: To sign in you will need to provide a fully qualified name of the aaduser2 user account, including the Azure AD tenant DNS domain name, which you recorded earlier in this lab. This user name is in the format aaduser2@<your_tenant_name>.onmicrosoft.com, where <your_tenant_name> is the placeholder representing your unique Azure AD tenant name.
3. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Azure AD Privileged Identity Management and press the Enter key.
4. On the Azure AD Privileged Identity Management blade, in the Tasks section, click My roles.
5. You should see three Eligible roles for aaduser2: Global Reader, Security Administrator, and Billing Administrator.
6. In the row displaying the Billing Administrator role entry, click Activate.
7. If needed, click the warning Additional verification required. Click to continue and follow the instructions to verify your identity.
8. On the Activate – Billing Administrator blade, in the Reason text box, type a text providing justification for the activation, and then click Activate.
NOTE:
– When you activate a role in PIM, it can take up to 10 minutes for the activation to take effect.
– This role does not require approval, so you will be able to sign out and log back in to begin using the activated role.
9. Sign out and sign back into the Azure portal by using the aaduser2 user account.
10. Navigate back to the Azure AD Privileged Identity Management blade and, in the Tasks section, click My roles.
11. On the My roles | Azure AD roles blade, switch to the Active assignments tab. Notice the Billing Administrator role is Activated.
NOTE:
– Once a role has been activated, it automatically deactivates when its time limit under End time(eligible duration) is reached.
– If you complete your administrator tasks early, you can deactivate a role manually.
12. In the list of Active Assignments, in the row representing the Billing Administrator role, click the Deactivate link.
13. On the Deactivate – Billing Administrator blade, click Deactivate again to confirm the your intent.
Task 2: Activate a role that requires approval.
1. In the InPrivate browser window, in the Azure portal, while signed in as the aaduser2 user, navigate back to the Privileged Identity Management | Quick start blade.
2. On the Privileged Identity Management | Quick start blade, in the Tasks section, click My roles.
3. On the My roles | Azure AD roles blade, in the list of Eligible assignments, in the row displaying the Global Reader role, click Activate.
4. On the Activate – Global Reader blade, in the Reason text box, type a text providing justification for the activation, and then click Activate.
5. Click the Notifications icon in the toolbar of the Azure portal and view the notification informing that your request is pending approval.
NOTE: As the Privileged role administrator you can review and cancel requests at any time.
6. On the My roles | Azure AD roles blade, locate the Security Administrator role, and click Activate.
7. Click the warning Additional verification required. Click to continue.
8. Follow the instructions to verify your identity.
NOTE: You only have to authenticate once per session.
9. Once you are back in the Azure Portal interface, on the Activate – Security Administrator blade, in the Reason text box, type a text providing justification for the activation, and then click Activate.
NOTE: The auto approval process should complete.
10. Back on the My roles | Azure AD roles blade, click the Active assignments tab and notice that the listing of active assignments includes Security Administrator but not the Global Reader role.
NOTE: You will now approve the Global Reader role.
11. Sign out of the Azure portal as aaduser2.
12. Sign into the Azure portal as aaduser3.
NOTE: If you run into problems with authenticating by using any of the user accounts, you can sign in to the Azure AD tenant by using your user account to reset their passwords or reconfigure their sign-in options.
13. In the Azure portal, navigate to Azure AD Privileged Identity Management.
14. On the Privileged Identity Management | Quick start blade, in the Tasks section, click Approve requests.
15. On the Approve requests | Azure AD roles blade, in the Requests for role activations section, select the checkbox for the entry representing the role activation request to the Global Reader role by aaduser2.
16. Click Approve. On the Approve Request blade, in the Justification text box, type a reason for activation, note the start and end times, and then click Confirm.
NOTE: You also have the option of denying requests.
17. Sign out of the Azure portal as aaduser3.
18. Sign into the Azure portal as aaduser2
19. In the Azure portal, navigate to Azure AD Privileged Identity Management.
20. On the Privileged Identity Management | Quick start blade, in the Tasks section, click My roles.
21. On the My roles | Azure AD roles blade, click the Active Assignments tab and verify that the Global Reader role is now active.
NOTE: You might have to refresh the page to view the updated list of active assignments.
22. Sign out and close the InPrivate browser window.
RESULT: You have practiced activating PIM roles with and without approval.
Exercise 3: Create an Access Review and review PIM auditing features
Task 1: Configure security alerts for Azure AD directory roles in PIM
1. Sign-in to the Azure portal https://portal.azure.com/ using your account.
2. In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Azure AD Privileged Identity Management and press the Enter key.
3. Navigate to the Azure AD Privileged Identity Management blade.
4. On the Privileged Identity Management | Quick start blade, in the Manage section, click Azure AD Roles.
5. On the AdatumLab500-04 | Quick start blade, in the Manage section, click Access reviews.
6. On the AdatumLab500-04 | Access reviews blade, click New:
7. On the Create an access review blade, specify the following settings (leave others with their default values):
| Setting | Value |
| Review name | Global Reader Review |
| Start Date | today’s date |
| Frequency | One time |
| End Date | end of the current month |
| Review role membership | Global Reader |
| Reviewers | Selected users |
| Select reviewers | your account |
Task 2: Review PIM alerts, summary information, and detailed audit information.
1. Navigate back to the Azure AD Privileged Identity Management blade and, in the Manage section, click Azure AD roles.
2. On the AdatumLab500-04 | Quick start blade, in the Manage section, click Alerts, and then click Setting.
3. On the Alert settings blade, review the preconfigured alerts and risk levels. Click on any of them for more detailed information.
4. Return to the AdatumLab500-04 | Quick start blade and click Overview.
5. On the AdatumLab500-04 | Overview blade, review summary information about role activations, PIM activities, alerts, and role assignments.
6. On the AdatumLab500-04 | Overview blade, in the Activity section, click Resource audit.
NOTE: Audit history is available for all privileged role assignments and activations within the past 30 days.
7. Notice you can retrieve detailed information, including Time, Requestor, Action, Resource name, Scope and Subject.
RESULT: You have configured an access review and reviewed audit information.
8. On the Create an access review blade, click Start:
NOTE: It will take about a minute for the review to deploy and appear on the AdatumLab500-04 | Access reviews blade. You might have to refresh the web page. The review status will be Active.
9. On the AdatumLab500-04 | Access reviews blade, under the Global Admin Review header, click the Global Reader entry.
10. On the Global Reader Review blade, examine the Overview page and note that the Progress charts shows a single users in the Not reviewed category.
11. On the Global Reader Review blade, in the Manage section, click Results. Note that aaduser2 is listed as having access to this role.
12. Click aaduser2 to view a detailed audit log with entries representing PIM activities that involve that user.
13. Navigate back to the AdatumLab500-04 | Access reviews blade.
14. On the the AdatumLab500-04 | Access reviews blade, in the Tasks section, click Review access and then, click the Global Reader Review entry.
15. On the Global Reader Review blade, click the aaduser2 entry.
16. In the Reason text box, type a rationale for approval and then click either Approve to maintain the current role membership or Deny to revoke it.
17. Navigate back to the Azure AD Privileged Identity Management blade and, in the Manage section, click Azure AD roles.
18. On the AdatumLab500-04 | Quick start blade, in the Manage section, click Access reviews.
19. Select the entry representing the Global Reader review. Note that the Progress chart has been updated to show your review.
Clean up resources
1. In the Azure portal, set the Directory + subscription filter to the the Azure AD tenant associated with the Azure subscription into which you deployed the az500-04-vm1 Azure VM.
2. In the Azure portal, open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, click PowerShell and Create storage.
3. Ensure PowerShell is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.
4. In the PowerShell session within the Cloud Shell pane, run the following to remove the resource group you created in this lab:
Remove-AzResourceGroup -Name "AZ500LAB04" -Force -AsJob
5. Close the Cloud Shell pane.
6. Back in the Azure portal, use the Directory + subscription filter to switch to the AdatumLab500-04 Azure Active Directory tenant.
7. Navigate to the Azure Active Directory Premium P2 – Licensed users blade, select the user accounts to which you assigned licenses, click Remove license, and, when prompted to confirm, click OK.
8. In the Azure portal, navigate to the Users – All users blade, click the entry representing the aaduser1 user account, on the aaduser1 – Profile blade click Delete, and, when prompted to confirm, select Yes.
9. Repeat the same sequence of steps to delete the remaining user accounts you created.
10. Navigate to the AdatumLab500-04 – Overview blade of the Azure AD tenant, click Delete tenant, on the Delete directory ‘AdatumLab500-04’ blade, click the Get permission to delete Azure resources link, on the Properties blade of Azure Active Directory, set Access management for Azure resources to Yes and click Save.
11. Sign out from the Azure portal and sign in back.
12. Navigate back to the Delete directory ‘AdatumLab500-04’ blade and click Delete.
I'm Not the PRO 