Controlling, auditing and reporting on administrator activities are an important part of maintaining a secure IT infrastructure. In many organisations, administrative task responsibilities tend to be split between different teams and individuals. From a helpdesk responsible for managing user mailbox rights – fulfilling user generated service requests asking for such access to be provided; up to a Messaging Infrastructure engineer performing major mail routing changes.
With Office 365 Azure, administrators are provided the tools to help restrict access from various admin centers within the tenant, and only provide said access for authorised individuals as and when they need it.
Privileged Identity Management (PIM) is part of the Azure toolset that provides this function. It works alongside the Azure AD Roles as shown in this sample screen shot:
Individual users or generic accounts can be assigned to a role based on their responsibilities for the business. For instance, an IT engineer might be part of the messaging team and need Exchange Administrator rights, or a helpdesk engineer might need Authentication Administrator rights to resolve user authentication issues.
Some individuals will not always need the administrative right all the time, in particular Exchange Administrators won’t always need the rights to make changes to the organisations mail flow. This is where PIM comes in.
With PIM enabled for an individual, the user must first request their permissions are elevated in order to enable them to perform a given task.
Below is an example of an account with PIM enabled, that has rights to be either a Global Administrator or Privileged Role Management within Office 365. Both these roles are disabled for this user account, meaning if they log on they will not at present have the rights:
If this user logs in, they will not be able to see the admin portal for Office 365:
First they must elevate their rights, and provide a reason for doing this. Here is an example with a change request reference provided for auditing purposes, with a 4 hour window to complete their task:
After a successful activation, the user must log out and back in again to have the rights they have just elevated (expect a 15 minute replication delay before applied):
Logged back in, the administrator portal is visible, and accessible:
All the administrator tabs are available to the user now: