Just-In-Time access is a security mechanism that grants users temporary permissions to perform specific tasks. This approach reduces the risk of excessive permissions and potential misuse, as users can only access sensitive resources when absolutely necessary. JIT access is particularly important for administrative roles, where the potential for misuse can have significant consequences.
To utilize PIM, your organization must have one of the following licenses:
In this demo, we will introduce a security engineer named Grady Archie, who holds a Security Reader role that is permanently assigned to him. Occasionally, Grady needs to configure Microsoft Defender for Cloud Apps. To adhere to the principle of least privilege, we will assign him the role of Cloud App Security Administrator but he will be only eligible for that role. This assignment will allow him to activate it only when necessary, ensuring that he has the appropriate permissions without compromising security.
Access the Microsoft Entra ID portal by navigating to entra.microsoft.com.
Once logged in, we go to the Identity Governance section.
Click on Privileged Identity Management (PIM).
In the PIM interface, select Roles from the sidebar, then click on Add Assignments.
We will assign the Cloud App Security Administrator role to the user Grady Archie.
Grady will be eligible to activate this role for a duration of four days, starting from 08/04/2024 to 08/08/2024.
We will log in as “Grady Archie” First, verify the roles assigned to Grady Archie. He is permanently assigned the Security Reader role and is eligible for the Cloud App Security Administrator role.
Grady will navigate to PIM, then select My Roles and click on Activate for the Cloud App Security Administrator role.
During the activation process, Grady will need to provide a justification for the role elevation.
He must also specify the duration for which he requires the role activation.
Once all information is entered, the activation process will begin. If everything is correct, Grady will be temporarily assigned the Cloud App Security Administrator role.
After the verification process is completed, Grady will now be actively assigned the Cloud App Security Administrator role for a duration of 8 hours.
Azure PIM and its Just-In-Time access feature are essential for organizations looking to enhance their security posture. By allowing temporary access to sensitive resources, organizations can minimize the risk of unauthorized access while ensuring that users have the permissions they need to perform their tasks effectively.