Time limited admin roles in Microsoft 365

Instead of granting all your admins admin roles that they have all the time you can grant users just in time (JIT) administration. With JIT you can have your admins request the access they need. The access can be time-limited so the admin can request the permissions they require to perform a function and then those permissions will automatically disappear after a short while. Just-in-time administration is part of Privileged Identity Management (PIM). With PIM you can monitor access to important resources in your organization.

NOTE: PIM requires Azure AD Premium 2 licenses

When to use PIM?

You'll want to use PIM when you want to minimize the number of admins in your environment. With PIM users can be granted access when requested, if those accounts are compromised the malicious user won't have admin rights unless granted by another admin.

What does PIM allow you to do?

With PIM you can build a number of security-based access controls into your environment. Some of which are:

  • Provide JIT admin access to your Microsoft 365 tenant
  • Assign time-bound access to admin rights using start and end dates so contractors and other time-limited employees can perform their job and automatically be revoked access after x days.
  • Require approval to be granted admin roles so another admin can verify the user is who he says he is before being given admin rights.
  • Enforce MFA to get admin roles
  • Use a justification form so users will need to give a reason why they need admin rights
  • Get notifications when users are given admin rights
  • Perform access review so you can be sure only those that require admin access have admin access.
  • View and export audit history to see who had admin rights and when

What licenses are required to use PIM?

You'll need to assign an Azure AD Premium P2 license for each employee that will be performing the following tasks:

  • Users that are assigned as eligible to have roles assigned through PIM.
  • Users that are eligible or owners of privileged access groups.
  • Users that approve or reject the requests in PIM
  • Users who perform or are assigned access review

What roles can enable/configure Azure AD Privileged Identity Management

Global admins and Privileged role administrator roles can enable and configure Azure AD Privileged Identity Management.

Global Administrators, Security Administrators, Global Readers, and Security Readers can view assignments to Azure AD roles in PIM.

Assign a role to a user

First, we'll need to assign a user to the user administrator role so the user can be eligible to activate the role. What's eligible? An eligible role assignment requires a user to perform one or more actions before using the permissions granted to the role. Those actions can be request permission or automatically approve but either way the user has to first request the permissions. Once the user is approved to use the permissions assigned by the role the user can then be granted a limited time period to use those roles. So, let's jump in and make a user eligible to use the user administrator role.

1. Go to the PIM Roles page by going to Azure Ad > All services > Azure AD Privileged Identity Management > Azure AD roles > Roles.

2. Click Add assignments

3. Click Search role > Select the Users administrator role

PIM user administrator role

4. Click No member selected. Search for the user you want to add then click on them. Click Select > Next.

select member to add to PIM role

5. Click Assign.

Before clicking Assign you can click Active to make the permissions active all the time. Simply click the Active radio button and provide justification for requiring the permissions.

To set a user as eligible from active

Did you assign someone permanent permissions and then realize they shouldn't have them? It's easy to switch them to eligible.

1. Go to the PIM roles page by going to Azure AD > All services > Azure AD Privileged Identity Management > Azure AD roles > roles

2. Select the role you want to update a user for.

3. Go to active assignments > click the user you want to update

4. Click Update > Set assignment type to Eligible > Save.

update pim assignment type to eligible

A role assignment that requires a user to perform one or more actions to use the role. If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks. There's no difference in the access given to someone with a permanent versus an eligible role assignment. The only difference is that some people don't need that access all the time.

How to activate a role

So the user now has the ability to activate an admin role but how do they activate it? Well, it's pretty simple:

1. Go to Azure AD Privileged Identity Management > My Roles.

2. In the user role you want to activate click Activate.

Activate PIM role

3. Click Additional verification required. Click to continue.

activate PIM - additional steps

4. Walk through the MFA.

5. Add a reason you need to activate the role then click Activate.

Activate a PIM role

Require another user to approve before gaining admin rights

So now a user doesn't have admin rights all the time. They need to request the admin rights but they are automatically approved. Uh-oh. That means a malicious user can gain access to the user account then gain admin rights without the approval of another admin. Let's set another account as an admin but this time require another admin to approve the rights. By default, Global administrators and Privileged role administrators are able to approve the requests.

1. Go to Azure AD > All services > Azure AD Privileged Identity Management > Azure AD Roles > Roles.

2. Find and click Application administrator in the list.

3. Click Add assignments.

4. Click No member selected then select the new admin. Then click Select > Next.

Add user to PIM role

5. Click Assign.

6. Click Settings > Edit.

7. Click Require approval to activate > Update.

Require approval to activate PIM role

Now when the user requests permission they'll go threw the following flow:

1. Go to Azure AD > All services > Azure AD Privileged Identity Management > My roles .

2. Click Activate next to the role.

3. Enter a reason then click Activate.

At this point global admins and privileged admins will receive the following email:

email to approve PIM role

1. The admin will need to click Approve or deny request.

2. Click the check box next to the request. Then click Approve.

approve PIM role

Configure users to perform administrative tasks for up to three hours at a time

Let's say you have a handful of admins that require the User Administrator role but you want to only allow them to perform the role for 3 hours at a time. What do you do?

1. Navigate to the PIM Settings page by going to Azure AD > All services > Azure AD Privileged Identity Management > Azure AD roles > Settings.

2. Search for the admin role you want to make the user eligible for. In our example, User Administrator.

3. Click the role you want to make the user eligible for.

4. Click Edit.

5. Set the Activation maximum duration to 3. Click Assignment.

Configure admins to get notifications when an admin role is assigned

So now Joe Gruber can assign the user admin role but no one is notified when he activates the role. So let's configure notifications for when our user activates the role

1. Go to the PIM roles by navigating to Azure AD > All services > Azure AD Privileged Identity Management > Azure AD Roles > Roles.

PIM Role Settings

2. Search for the admin role you want to enable notifications for. In our example, User Administrator.

3. Click the User Administrator role.

4. Click Settings.

user administrator - pim role - settings

5. Click Edit.

6. Click Notification. Add your email in the Additional recipients field next to the Role assignment alert type. Click Update.

Edit notifications when assigned PIM role

Automatically remove role if the user doesn't sign in

Create access review to automatically remove access

So now users are required to use MFA and give a reason to get the admin rights, but what if a user leaves? They may not be terminated but they go on an extended vacation and you forget to remove the permissions. Now you have an admin account floating around out there that's not in use. Fortunately, Microsoft 365 has you covered. You can have the user's rights removed automatically if the user has not logged in for over X days. Let's set it to 30 for our group.

1. Go to the Access Review page by going to Azure AD > All services > Azure AD Privileged Identity Management > Azure AD roles > Access reviews

2. Click New.

3. Set the name. Set the frequency to Monthly. The Duration to 27. Set End to Never.

4. Click Select Privileged role(s). Search for and find User Administrator. Click the check box next to User Administrator then click Done.

5. Select Members (self) in the Reviewers dropdown.

6. Expand the Upon completion settings.

7. Click Enable next to Auto apply results to resource.

8. In the If reviewers don't respond drop-down select Remove access.

9. Click Start.

How admins will review the role

Start review access

So now the user will need to review their access every month. They'll receive an email that asks them to "Please review access to the User Administrator role". When received simply click Start review. Enter a reason then click Approve.

Revoke permissions after 30 days of no activity