Create custom Privileged Identity Management (PIM) group with approver

Description

This guide will walk through the proces of creating custom PIM group that will give members eligility to elevate and become global admin. This guide will also outline how to setup approver as required step in the proces of elevation.

Create groups

  1. Create 2 standard assigned groups in Entra ID, call them: SEC_PIM_GA_Eligible and SEC_PIM_GA_Approver
  2. Create 1 assigned group in Entra ID – that group must be enabled for Entra roles. Call it: SEC_PIM_GA

    Under the creation of the group, assign the group the global administrator role
  3. You will now have 3 groups created

Enable groups for PIM

  1. Go to the group you created called: SEC_PIM_GA_Eligible
  2. Go to the Privileged Identity Management section within the group
  3. Enable PIM for this group

Setup PIM for the group that holds the role

  1. Go to the group you created called: SEC_PIM_GA
  2. Go to the Privileged Identity Management section within the group
  3. Select Add Assignments
  4. Add the eligible group as member. Select Next
  5. Set the membership as eligible and note the suggested expiration date. Complete the assignment.

Configure approver for the group that holds the role

  1. Still on the group called: SEC_PIM_GA under the PIM section, press Settings
  2. Select Member
  3. Edit the settings, there we limit the elevation to 2 hours, require MFA and require approver.
  4. On the next page, leave everything default (notice you can enable the use of permanent assignments)
  5. On the notification page, configure as you need.
  6. Hit the Update bottom to complete the changes

Assign members to the eligible- and approver group

Once all the setup is complete, now it is time to assign members the possibility to elevate them.

  1. Go to the group in Entra ID called: SEC_PIM_GA_Eligible
  2. Under Members, add needed users as direct members.
    .
  3. Go to the group in Entra ID called: SEC_PIM_GA_Approvers
  4. Add direct members to this group that approve PIM requests. Note that the same user can both be eligible for an elevation and approver at the same time, but this user will not be allowed to approve own requests, therefore another user is required for approval flow to work.

Validate the configuration

  1. Go to PIM
  2. Go to My Roles, then groups. Notice that you are eligible member and can activate the role now.
  3. Active and write justification.
  4. Notice in the right top corner that approval flow started
  5. The approver will see a pending approval under the groups section in the approval module
  6. The approver must also write a grant justification.
  7. Now the requester is active for the role by the group, for the duration for 2 hours

Special note regarding usage of PIM with emergency access accounts

I wrote an article about configurering emergency access accounts. That article describe a fracture 3 account that can elevate for PIM but require approver and no MFA involved. That constalation would require that MFA will not be required when elevating, and also the membership for eligible should not expire (that would create a situation there the PIM would not work then needed in an emergency). Manage emergency access accounts in Microsoft Entra ID (Break glass) – Christoffer Klarskov Jakobsen – Microsoft Architect (chkja.dk)

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *