Understanding Azure: privileged identity management and identity protection
Wednesday, May 23, 2018
Businesses are under pressure to protect and manage the identities of their employees, alongside the identities of their customer database. In our series of ‘Understanding Azure’ blogs posts, we’re taking you through each part of Microsoft’s cloud platform in easy-to-digest chunks. Previously, we’ve spoken about how you can use Azure Active Directory to enable Single Sign-On (SSO) and Multi-Factor Authentication (MFA). Now, we’re turning our attention to Privileged Identity Management (PIM) and Identity Protection.
What is Privileged Identity Management?
PIM helps to mitigate the risk of excessive, unnecessary or misused access rights by allowing administrators to discover, restrict and monitor access to Active Directory resources and Microsoft online services such as Office 365. Essentially, it means that any user with access to the corporate data network will only be allowed access to certain files or services, assigned by the global and privileged role administrators. PIM works in tandem with Identity Protection to help keep unauthorised people from accessing sensitive data, either as an internal employee or an external party, including potential hackers. Key takeaways include:
- PIM is included with Azure Active Directory Premium P2 and Enterprise Mobility + Security E5
- Administrators can create and manage a single identity for each user across the organisation; keeping users, groups and devices in sync with Azure Active Directory Connect
- Enables the use of Just-in-Time access, so that administrators can create privileged access for a specific timeframe
- PIM can improve user productivity with self-service password reset, and group and application access requests using the MyApps portal
PIM Admin Dashboard
Through the PIM admin dashboard, administrators can assign privilege roles to specific users within the organisation. Most Microsoft resellers will be familiar with the Global Administrator, Billing Administrator and Password Administrator roles. While these roles are all crucial to the way PIM works, there are also several other roles, such as Service Administrator and User Management Administrator, that can monitor the health of the service as well as manage requests from users.
The image above allows administrators to find:
- Alerts that point out opportunities to improve security
- The number of users who are assigned to each privilege role
- The number of eligible and permanent admins
- A graph of privileged role activations in your directory
- The number of just-in-time, time-bound and permanent assignments for Azure Resource roles
- Users and groups with new role assignments in the last 30 days
For more information on Privileged Identity Management, this article might be helpful.
What is Identity Protection?
Identity Protection works a little differently to PIM, though both work together to achieve the same goal; to help keep your customer’s data protected. By using advanced machine learning algorithms, Azure Active Directory works hard to detect anomalies or malicious-looking code that may compromise the identities of your customers. Identity Protection uses this data as its backbone and presents this to you by generating reports and alerts so that administrators can take action to mitigate the risk. Key takeaways include:
- Identity Protection is included in Azure Active Directory Premium P2 and Enterprise Mobility + Security E5
- Detects potential vulnerabilities and investigates suspicious incidents
- Configure risk-based policies that automatically respond to detected issues after it hits a pre-specified risk level
- Roles include: Global Administrator, Security Administrator and Security Reader
Identity Protection Dashboard
The image above allows administrators to find or use:
- Custom recommendations to improve overall security posture by highlighting vulnerabilities
- Sign-in risk and user risk level calculations
- Relevant and contextual information regarding risk events and to send notifications
- Basic workflows to track investigations
- Easy access to remediation actions such as password reset
- Block risky sign-ins or require MFA challenges
- Block or secure risky user accounts
- Require users to register for MFA
For more information on what Identity Protection can help you achieve when installed for an organisation, you can read Microsoft’s extensive article here.
By using Privileged Identity Management and Identity Protection, your customers are one step closer to keeping their company data secure. In the next few weeks, our ‘Understanding Azure’ series will take a deeper look at other security topics, such as Azure Rights Management and the Key Vault.