Just in time, approval and notification for admin roles in Microsoft 365

Up until now, we've worked with permanent admin role assignments. Essentially, the user account is an admin until the user account is removed from the admin role. But there's another option. Just in time privileged access. Microsoft calls this Privileged Identity Management (PIM). With PIM users only have admin roles for a limited time. And before they activate the admin role they can be required to get approval.

Licenses required

First things first. What licenses are required to use privileged identity management? You'll need an Azure AD Premium P2 license. It's also included in the Enterprise Mobility + Security (EMS) E5 license.

Assign a role

Now let's assign a role using PIM. By default, the role can only be active for 8 hours. So let's give a user a permanent role assignment.

1. Go to Azure Active Directory admin center > All services > Azure AD Privileged Identity Management.

How to open Azure AD PIM

2. Click Azure AD roles > Assignments > Add assignments.

Add assignments in PIM

3. Under Select role select Global Administrator. Click No member selected. Select the user you want to add. Click Select. Click Next.

Add user assignments in PIM

4. Click Assign.

How to activate a role assignment

Once you assign a user as an eligible role the user will receive the following email:

Activate a PIM role

1. Click View or activate role.

2. Click Activate.

3. If additional verification is required click continue. Finish the authentication.

additional-verification-click-to-continue

4. Set a reason. Click Activate.

Activate a role

Review role assignments

As an admin, you may need to review who's assigned what roles. Let's take a look.

1. Go to Azure Active Directory admin center > All services > Azure AD Privileged Identity Management.

Azure AD PIM

2. Click Azure AD roles > Assignments.

PIM assignments

Under eligible assignments, you'll see the user you added. These users have a role assigned through PIM that needs to be activated.

Eligible assignements

Click Active assignments. These users currently have roles. If you look under state you'll see two different states: "Assigned" and "Active". Assigned users have the role assigned to them permanently. They'll always have admin rights. Activated roles show users that are eligible for assignment and have activated the role.

Active PIM Assignements

Update Settings

So now we've configured a user and we know how they can activate the admin role. But we've got a problem. The activation should only be 1 hour and another admin needs to approve the activation before the role is activated. Next, we'll disable the permanent assignment of the role. Finally, we'll make sure an admin is notified when the PIM role is activated.

1. Go to Azure Active Directory admin center > All services > Azure AD Privileged Identity Management.

Azure AD PIM roles

2. Click Azure AD roles > Assignments > Settings.

Open PIM settings

3. Click Application Administrator > Edit.

Edit PIM role assignments

4. Set the Activation maximum duration (hours) to 1. Click Require approval to activate. Click No approver selected. Select the admin to approve. Click Select. Click Next: Assignment.

Edit PIM role settings

5. Uncheck Allow permanent active assignment. Click Next: Notification.

Edit PIM role settings assignments

6.

Edit PIM role assignments
Set an email address in the Role activation alert additional recipients. Click Update.

Edit role settings notifications

Who can approve the admin role assignment?

Only global administrators and privileged role administrators can approve the admin role assignments. Let's try it now. Walk through the "Assign a role" steps above but this time grant someone the application administrator role. Then login with the user you made eligible for the role and activate the role following the "How to activate a role assignment steps above".

How to approve activation of a role

1. Once a user requests a role the approver will receive an email with the subject "PIM: Review User's request to activate the Application Administrator role". In that email click Approve or deny request.

Approve PIM role assignment email

2. Review the request then click the checkbox next to the role. Click Approve.

Approve the PIM role assignment

3. Give a justification and click Confirm.

Approve request justification