Microsoft pim

Throughout Microsoft, there are employees who require elevated access to Microsoft Online Services, Microsoft Azure, and on-premises services that they own, manage, or support. We wanted to better manage privileged identities and monitor elevated access for cloud resources. Azure Active Directory uses administrative roles to control access to various features within the tenant.

Both Azure Active Directory administrative roles as well as Azure administrative roles can be assigned and remain inactive until needed. Identity management at Microsoft encompasses all process and tools used to manage the lifecycle of all identities for all our corporate employees. Of the roughly , identities that we currently manage at Microsoft, there are approximately 10, on-premises accounts and Azure AD accounts of users who require elevated access to data and services.

When we started using PIM, we did an attestation to reduce the number of individual users who might need individual assignments. Since then, we have reduced the number of users who are candidates for global administrator by 83 percent, and removed all persistent users except for a break-glass account from the global-administrator role.

Privileged Identity Management focuses on the tools and processes we use for a subset of users that have administrative—or elevated—access to on-premises and cloud-hosted data and services at Microsoft. There are a couple of obvious ways we can look at reducing the risks, or attack surface, of elevated access—by reducing the number of accounts or the duration that an account has elevated access.

At Microsoft, the only people who are authorized to assign others to roles are Privileged Role Administrators. We monitor unauthorized assignment of roles, and the addition of users who are not authorized to be assigned to roles. If anyone else tries to assign a role, it is automatically flagged as a violation of role-assignment policy. Typically, the more elevated access a privileged role has, the more rigorously we protect it.

At the front end of the process, the review board spends more time evaluating requests for more privileged roles.

The employee request process requires multiple levels of approvals. After the request is approved, we can require tighter controls, including multifactor authentication or physical credential, like smart cards. We also set shorter access durations through JIT access.

We can also monitor access, audit account elevations, and receive additional alerts through a management dashboard in the Azure portal. Elevated access includes job roles that need greater access, including support, resource administrators, resource owners, service administrators, and global administrators. We manage role-based access at the resource level.

At Microsoft, when an individual joins a team or changes teams, they might need administrative rights for their new business role. Watch the video. Read the customer story. Privileged Identity Management in Azure AD Azure AD Privileged Identity Management enables you to limit standing admin access to privileged roles, discover who has access, and review privileged access. Learn more about Azure AD. Manage least privilege access Enforce the principle of least privilege by periodically reviewing, renewing, and extending access to resources.

Is this page helpful? Please rate your experience Yes No. Any additional feedback? Note When a user who is active in a privileged role in an Azure AD organization with a Premium P2 license goes to Roles and administrators in Azure AD and selects a role or even just visits Privileged Identity Management : We automatically enable PIM for the organization Their experience is now that they can either assign a "regular" role assignment or an eligible role assignment When PIM is enabled it doesn't have any other effect on your organization that you need to worry about.

Submit and view feedback for This product This page. View all page feedback. In this article. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Submit and view feedback for This product This page. View all page feedback. In this article. A role assignment that requires a user to perform one or more actions to use the role.

If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks. There's no difference in the access given to someone with a permanent versus an eligible role assignment. The only difference is that some people don't need that access all the time.

A role assignment that doesn't require a user to perform any action to use the role.