Wednesday, 13 May 2015

Azure AD Privileged Identity Management

EMS Landing page

Recently I carried out an Active Directory Security Project for a fairly large manufacturing company. The idea was to ensure that Active Directory tasks are carried out using "least privilege" accounts. I implemented Role Based Access and started to remove the 30 Domain Administrator Accounts one by one. This was so tedious and as I was doing it I thought - "there has to be an easier way, wouldn't it be great to be able to grant temporary elevated privileges as required without the administrative overhead".

Little did I know that this concept was already in the pipeline for Azure AD. Meet Azure AD Privileged Identity Management (currently in Preview) and it is awesome. This was announced last week on the Active Directory Team blog by @Alex_A_Simons You can see that blog here

You just need to add a user to the required role and the user can choose themselves when they need the elevated privilege. Also, wait for it, the privileges expire after a predefined interval (1 hour by default).

Let's see this in action.

Log on to the new Azure Portal (currently in Preview) as Global Administrator.

Click on Marketplace.......

.....and search for Azure AD Privileged Identity Management.

Click to Create.

Azure verifies your licensing entitlements (this will more than likely be released as an Azure AD Premium feature).

The Privileged Identity Management tile is added to the Startboard. Launch the feature.

See the two choices:

Manage identities: the Global Administrator will use this option to configure the solution. This is where you add users to the various roles and define settings such as the Activation Duration.

Activate my role: the user will use this option when they have to activate the elevated privileges.

For now we will choose Manage Identities.

See the available roles.

This is the description of each of the roles.

Select one of the roles and choose Settings.

This is where you can configure the Activation duration (1 hour by default). Save your settings and close the Settings section.

Now we will add users. Select a role.....

.....and click to Add users.

I've chosen Tom. Tom is a regular user and is not an existing Azure Global Administrator.

This is Tom's lucky day. He can now be a Security Administrator. See how this has not yet been activated.

Now Tom logs on to the Azure Portal.

The first time he has to add the Privileged Identity Management tile to his Startboard. Tom launches the feature......

....and needs to choose "Activate my role". Tom is only allowed to use the Security Administrator role so that is all he can see. Note that he sees "Request Activation".

When he clicks on "Request Activation" he is allowed to activate his elevated privileges. He clicks "Make active".........

....and enters the reason for this.

Tom is now activated as a Security Administrator for 1 hour. See that he can make himself inactive at any time.

This is the Global Administrator's view. We can see that Tom is now active and can see the expiration date and time.

See the way we can remove the elevated privilege at any time.

I have to say that I am very impressed with this new feature and it will be extremely useful in production.


  1. and now elevation could be done with MFA - so cool !!

  2. Thank you Gerry, great post.