During the past 12-18 months, Security has become an even bigger topic, especially as companies look to secure their resources now that their end-users and IT teams are working remotely in some cases. One feature most IT Admin teams should be looking to leverage, if you have Azure AD P2 license available, is Azure AD Privileged Identity Management.

This article is not about the benefits of AAD  PIM, or how to deploy it, but more around a specific scenario and a gotcha you need to be aware of.

In this scenario, the AAD tenant has already had some security enhancements configured, and one in particular is to prevent standard end-user accounts access to Azure AD portal. This is controlled by this setting;

This effectively stops any non-admin account from accessing the Azure AD portal, especially useful when you want to help prevent user detail leakage, reconnaissance attacks etc.

With Azure AD PIM deployed, an IT Admin (or anyone else that needs to use a privileged account) would have a separate “admin” account that would not have any privileged roles assigned to it, but would be eligible for a role under the PIM configuration.

To activate the PIM role, they would need to access Azure Active Directory admin center

This is actually blocked by the configuration setting mentioned above, and actually the user would receive this screen when trying to access the PIM portal to activate a role.

The only two options, that offer a least privilege solution are;

  1. Give all accounts that need to activate a role, the Directory Reader role by default and permanently assigned. This would allow them to access the AAD portal to activate their additional PIM roles.
  2. Use a PowerShell script to activate the role – remember, PowerShell access is not blocked by the settings that blocks standard user access to the AAD GUI
  3. Remove the settings that blocks standard users from accessing the AAD portal.

My recommendation would be to go for option 1 or 2, but I am hoping that Microsoft address this issue and will allow accounts that have Eligible PIM roles assigned to them to access the PIM portal even when the standard users are blocked from accessing it.

I will keep you updated on any developments from Microsoft.

If you want to use a PowerShell script, this is one that I found on GitHub and is pretty cool

Activate-PimRoles/Activate-PIMRole.ps1 at master · MCSMLab/Activate-PimRoles · GitHub