Using Microsoft Privileged Access Management for Just-in-Time Administration
Microsoft Privileged Access Management, which strips the privileges from a privileged account, can help achieve IT security objectives.
April 12, 2021
When it comes to IT security, there are three main objectives that organizations need to be focused on. Microsoft Privileged Access Management (PAM) can go a long way toward helping an organization to achieve them.
The three objectives are:
Zero trust security, which means that nothing is allowed to happen unless it has been specifically authorized
Least privilege access, or equipping users with the bare minimum privileges required for them to do their jobs
Minimizing the blast radius, which is another way of saying that organizations should assume that a security breach will eventually happen and take steps ahead of time to minimize the damage such an attack can do
One of the things that makes it so difficult to fully achieve the objectives listed above is the need for privileged accounts. After all, it is impossible to perform routine, day-to-day IT management tasks without the use of privileged accounts. At the same time, if attackers gain access to one of these privileged accounts, they can do massive damage to the organization.
Microsoft Privileged Access Management works by stripping the privileges from a privileged account. When an administrator needs to perform an activity that requires privileged access, the administrator must request permission to do so. Upon receiving the necessary permission (which can be granted manually or automatically), the administrator’s account receives the required permissions, but only for a limited amount of time. So, if attackers do manage to compromise a privileged account, the account is of almost no use to them because it does not have any privileges associated with it.
In a Windows Server environment, Microsoft Privileged Access Management is based on the use of a Group within a separate bastion forest in Active Directory. Initially, the admin is removed from any administrative Active Directory groups, thus causing the user to be treated as a standard user rather than an administrator. When a user needs to perform a privileged operation, he or she uses either a special website or a PowerShell command to request authorization to perform the operation. When the request is approved, the user’s account is added to a privileged group within the bastion forest. This causes the bastion forest to issue a time-limited Kerberos Ticket Granting Ticket. The user’s privileges are revoked once the ticket’s time to live (TTL) expires.
Microsoft Privileged Access Management is tied to Windows Server, but Microsoft has also made PAM available to Microsoft 365 subscribers. As such, an organization can use PAM to protect its Microsoft 365 environment, even if it does not have an on-premises Active Directory implementation.
The process of setting up Microsoft Privileged Access Management for Microsoft 365 is relatively straightforward, although the step-by-step process is beyond the scope of this article.
As you can see in Figure 1, Microsoft exposes PAM through the Azure Active Directory Admin Center.
PAM 1
Figure 1
PAM can be configured through Azure Active Directory.
Microsoft provides a handy quick start for privileged identity management, directly through the Azure Active Directory Admin Center. You can see what this looks like in Figure 2. You can even use the Azure Active Directory Admin Center to review pending requests and to grant or deny those requests.
PAM 2
Figure 2
This is the quick start for privileged identity management.
Instructions for configuring the M365 environment to use Microsoft Privileged Access Management are available here.
Read more about:
MicrosoftAbout the Author
You May Also Like