WingNews logo WingNews
top | item 42337508

(no title)

epiecs | 1 year ago

You use PIM: https://learn.microsoft.com/en-us/entra/id-governance/privil...

Basically you are eligible for your admin roles but you have to activate them first. Usually there are additional checks + notifications to other admins. These permissions are also only available for a set amount of time and then you will need to re request them :)

discuss

order

sfn42|1 year ago

I don't understand the point of PIM. If some malicious actor has my token or controls my PC then what's stopping them from PIMing?

Seems to me like it wastes my time more than anything else.

epiecs|1 year ago

Good question actually! There are multiple layers that add to the security:

- Your login session as a user is normally valid for a day (~10 hours). But a pimmed session that gives you global admin permissions can be for example capped to max 1 hour.

- A normal login as a user can just require login + mfa. But if you want to PIM to certain admin roles you for example are required to use your yubikey as well. Yes it's an extra step but if your account is hacked they only have access to you as a user and not you as an admin unless they also capture your security key.

Also it creates some additional awareness for admins that they are now handling the keys of the kingdom and that the role that they just activated can do a lot of harm. In some organizations users get an admin account without fully understanding the consequences.

- It is way easier to audit. In normal circumstances a user's admin permissions are "always on". Once you start using pim you can also audit when and where additional permissions where requested. This is especially handy when you are monitoring everything and you get an alert saying "Hey sfn42 just requested global admin from a location that they normally do not request this. Can you look into this to make sure that it is legit?" With always on permissions this becomes way harder.

- Easier to manage via groups. You can have groups tied to eligible permissions and subsets of permissions. This is really handy once you start having external consultants who can request permissions via IGA (Identity Governance) policies.

Basically consultants can go to a url (https://myaccess.microsoft.com/) and request an "access package" that might contain 1 or more roles.

For example somebody who has to audit certain items in our organization can request a package that contains the needed admin roles and get automatically added to the correct groups. Once they request that package we can have automated processes (with multiple stages if needed) that first contact the teamlead of that person, and later on maybe another group of person(s) to approve that access.

These groups have access reviews done by the security team / app owner (weekly/monthly depending..) to make sure that all accesses are still needed. It is also really easy to let these permissions expire. So our auditor will have a valid account for the entire year but will have to re-request their permissions every 3 months (or whatever we choose).

This is also _really_ easy to audit :)

- When someone in our security team requests a role the rest of the team automatically receives an email so we know what is going on with our collegues :)