Prerequisites for configuring Azure AD PIM
One aspect that you need to understand before you can enable and use Azure AD PIM is it’s licensing part. So, to use Azure AD PIM, you need to have either the Azure AD Premium P2 license or EMS E5 license, but how would you decide as to how many licenses are needed? Here is the answer for you.
The total number of Azure AD Premium P2 licenses needed should be equal to the total number of users performing the below activities:
- Users assigned as eligible to Azure AD or Azure roles managed using PIM
- Users who are assigned as eligible members or owners of privileged access groups
- Users who approve or reject role activation requests in PIM
- Users assigned to an access review
- Users who perform access reviews
Another thing to keep in mind is that the Azure AD Premium P2 license is not needed for users who set up and configure PIM, access policies, receive alerts, and set up access reviews for the role assignments.
Let us understand this with an example. Assume there are 11 employees in an organization out of which there is 1 Global Administrator. Out of the remaining 10 employees there are 2 employees who are assigned as approver for role activation requests and 4 administrators are managed through Privileged Identity Management. In such a situation, we need to have 6 Azure AD Premium P2 licenses.
While we are discussing on the licensing part, let me also tell you that for Azure AD roles, only a global administrator or the user who has the role of a Privileged Role Administrator can manage role assignments for other users.
For Azure Resource roles, it is only a subscription Administrator, resource owner, or a resource user access administrator can manage access for other administrators.
By the way, just to let you know, Privileged Role Administrators, can manage role assignments in Azure AD and all aspects of Azure AD PIM.
How to Configure Azure AD PIM
We discussed about the license requirements for the users who would use the Privilege Identity Management to request, approve, and use the elevated roles, let’s understand these type of users before we dive into how to configure PIM. So we have the –
- PIM Admins – This is usually the first person who activates the Privileged Identity Management and provides their consent. Generally speaking, the Global administrator is the person who does this task. So they already are the Global Administrator and then that person also becomes the member of the Security Administrators group and the Privileged Role Administrator. The security administrator role users have the authority to manage all security aspects around Azure AD and other related Azure AD services. The Privileged Role Administrators can manage the role assignments in PIM and make users eligible for Azure AD Admin roles
- Approvers – These users have the authority to approve or deny the role assignment requests from the users through PIM
- Access Reviewers – who have been assigned the role to perform the access reviews for the privileged roles assignments to the users via PIM Eligible Role Users – These users also need the license in order to become eligible for the admin role via PIM
Below are the steps followed for enabling Privileged Identity Management on the directory
Step-1: Sign in to the Azure Portal as Global Administrator. Click on Azure Active Directory
Step-2: Click on Licenses from the left hand menu
Step-3: On the popup that appear on the right hand side, click on Activate under Azure AD Premium P2
Option1 – After the Azure AD PIM has been enabled, you can go to Home and then under search resources, search for Privileged Identity Management.
Option2 – Alternatively, on the search bar type Privileged Identity Management and click on the Privileged Identity Management option that appears as a search result.