1 / 35

Protect the keys to your kingdom with Privileged Identity Management

Protect the keys to your kingdom with Privileged Identity Management. Steve Lieberman, Microsoft Program Manager Justin Hughes, Dow Chemical Company Lead Architect Specialist. BRK3248. What administration is like. Without PIM. With PIM. Azure AD Privileged Identity Management.

chuerta
Download Presentation

Protect the keys to your kingdom with Privileged Identity Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protect the keys to your kingdom with Privileged Identity Management Steve Lieberman, Microsoft Program Manager Justin Hughes, Dow Chemical Company Lead Architect Specialist BRK3248

  2. What administration is like • Without PIM • With PIM

  3. Azure AD Privileged Identity Management Privileged Admin Workflow Audit-ready Just Enough Access Just in Time Access Protect and control privileged access to your organization

  4. What is Privileged Identity Management? Manage, control, and monitor access to important resources Provide just-in-time privileged access to resources and directory Assign time-bound access to resources using start/end dates Require approval to activate privileged roles Enforce Multi-factor Authentication to activate any role Use justification to understand why users activate Get notifications when privileged roles are activated Conduct Access Reviews to ensure users still need roles Download audit history for internal/external audit

  5. Justin HughesDow Chemical Company

  6. Why we use PIM • O365 & Azure Cloud • Legacy PIM/PAM solution • Native integration, PowerShell • Just-in-time (JIT) Elevation • Native capabilities • Alerting, Access Reviews

  7. Getting Started • Step 1 – You are already started, you are here • Research – know your roles and scope • Global Admin, Subscription Owners, RM vs O365, Admin Portals • Understand your current configuration • Identities, Sync Config, Passwords & Authentication

  8. Planning • Role Based Access Controls • Know who and how to engage • Don’t lock yourself out • Least Privileged • Alignment to internal functions • Compliance • Role Owners – Validation – Audit History – Accountability – Role Config • Multi-Factor Authentication

  9. Implementation • Role Config • Default Role Configuration • Compliance • Ensure that is works • Start small and at the top • Do not forget break-glass • Get feedback and adjust • Role config & scope, adjust

  10. Lessons Learned • Enable feedback from workload • Educate support on tokens, browser/sessions • 30 Days Audit – need longer? • Keep up-to-date with MSFT

  11. Thank you Justin!

  12. Addressing your feedback

  13. Issues/feedback • Why does it take 10 min or more before permissions effective in Azure AD? • Application access tab now in Preview

  14. Management Group Subscription 2 Subscription 3 Subscription 4 Subscription 5 Subscription 1 Resource Group A Resource Group B Resource Group C Resource Group D Resource Group E Resource Resource Resource Resource Resource

  15. Issues/feedback • Why does it take 10 min or more before permissions effective in Azure AD? • Application access tab now in Preview • When will PIM support Management Groups for Azure resources

  16. Management Group Subscription 2 Subscription 3 Subscription 4 Subscription 5 Subscription 1 Resource Group A Resource Group B Resource Group C Resource Group D Resource Group E Resource Resource Resource Resource Resource

  17. Issues/feedback • Why does it take 10 min or more before permissions effective in Azure AD? • Application access tab now in Preview • When will PIM support Management Groups for Azure resources • In Public Preview, go try it today! • Scoped activation doesn’t follow the assigned policy requirements

  18. MFA required 1-hour duration Approval enforced Management Group Subscription 2 Subscription 3 Subscription 4 Subscription 5 Subscription 1 Resource Group A Resource Group B Resource Group C Resource Group D Resource Group E No MFA 10-hour duration No Approval No MFA 10-hour duration No Approval

  19. MFA required 1-hour duration Approval enforced Management Group Subscription 2 Subscription 3 Subscription 4 Subscription 5 Subscription 1 Resource Group A Resource Group B Resource Group C Resource Group D Resource Group E MFA required 1-hour duration Approval enforced MFA required 1-hour duration Approval enforced

  20. Issues/feedback • Why does it take 10 min or more before permissions effective in Azure AD? • Application access tab now in Preview • When will PIM support Management Groups for Azure resources • In Public Preview, go try it today! • Scoped activation doesn’t follow the assigned policy requirements • Fix released UI, API coming next week • I have too many roles, it’s difficult to find the one I need • New activate tabs in preview, short links coming next week

  21. Issues/feedback • Why does it take 10 min or more before permissions effective in Azure AD? • Application access tab now in Preview • When will PIM support Management Groups for Azure resources • In Public Preview, go try it today! • Scoped activation doesn’t follow the assigned policy requirements • Fix released UI, API coming next week • I have too many roles, it’s difficult to find the one I need • New activate tabs in preview, short links coming next week • It takes 30 min or more before permissions effective in Exchange admin portal • Public preview in early November!

  22. Granular access control with PAM in Office 365 Task based access control for high privileged tasks. Example high risk tasks include journaling rule, transport rules, mailbox exports. Built on the same principle of zero standing access. Approvals can be set automatically or manually.

  23. Roadmap

  24. PIM roadmap • Support for 3rd party MFA providers • API improvements including app tokens • PowerShell for Azure resources • Performance improvements But wait, there’s more…

  25. Microsoft Secure Score Insights into your security posture Guidance to help you secure your organization Checkout your Identity secure score now @ http://aka.ms/MyIdentitySecureScore

  26. PIM for Managed Apps Friday (12:45 – 1:30 PM) How to reduce DevOps risks with Azure Resource Manager – W315 Think salesforce / Cassandra Clusters No standing admin access (must JIT)

  27. Resources & Go Do’s

  28. Resources • Newly published whitepaper with updates on how Microsoft uses PIM • aka.ms/PIMatMS • Secure administration best practice whitepaper • aka.ms/BreakGlass • Sessions to watch on-demand • BRK3242 Azure AD Identity Governance • BRK2266 Streamlining your business processes using Microsoft Graph​ • BRK3244 Modernize your identity lifecycle management with Azure AD​ • BRK3249 Granting partners access to resources using Azure AD B2B​ • BRK3274 Real-world best practices for managing Office 365 groups​ • THR3124 Azure AD Identity Governance theater session

  29. Go do’s • If you don’t already own Azure AD Premium P2 or EM+S E5 get it FREE FOR ONE YEAR (see me after this session) • Enable baseline protection for your tenant • Enable PIM for your AAD admins • Use the wizard to find out who your admins are • Run an access review

  30. Questions?

  31. Please evaluate this sessionYour feedback is important to us! Please evaluate this session through MyEvaluations on the mobile appor website. Download the app:https://aka.ms/ignite.mobileApp Go to the website: https://myignite.techcommunity.microsoft.com/evaluations

More Related