Nils Henrik Hals

Dabbling in everything from 3D to cloud. Trying to blog on things I don’t understand to make it understandable!

4 minute read

Azure Privileged Identity Management (PIM) is a feature that helps you follow the principle of least privilege in Azure. It allows you to temporarily elevate your access to a role with more permissions, only when you need to perform specific tasks. This is similar to how User Account Control (UAC) works in Windows or sudo in Unix systems.

Azure has many predefined roles, such as owner, contributor, key vault administrator, etc. These roles can be assigned to users or groups at different scopes, such as subscription, resource group, or resource level. However, the classic role-based access control (RBAC) model grants these roles permanently and always enabled. This means that users have more access than they need most of the time, which increases the risk of misuse or compromise.

Many users in Azure are devops professionals, who need to switch between different roles depending on the situation. For example, they may need to diagnose and debug resources as developers, or manage, deploy and delete resources as operators. Giving them both roles at the same time makes them a bigger target for attackers.

I use many dev tools myself, such as Azure CLI, Visual Studio Code Azure Tools, etc. If any of these tools are exploited by a malicious script, they may be used to perform actions on my behalf that I don’t intend to do. By adding the elevation requirement, I can limit the times I actually have the permissions needed to cause any damage.

I also manage many resources in Azure, and especially when deleting stuff, I really appreciate how PIM adds an extra layer of protection and confirmation. It prevents me from accidentally deleting something that I can’t recover.

This is how Azure PIM works: You can assign eligible roles to users or groups that have to be manually activated for a limited time. For instance, I can activate a contributor role on a subscription level for up to 8 hours.

There are several safeguards that can be configured to avoid this being just another click in the Azure portal:

  • Require a reason text
  • Require two-factor authentication
  • Require approval from a second person
  • Require activation within working hours

You can choose the best combination of these options for different roles and scopes. For example, you may want to have more strict rules for owner or subscription contributor roles than for resource group level roles.

When you elevate your access, an email will be sent to all access administrators, so they can monitor your activity and detect any suspicious behavior.

Azure PIM is a great tool to enhance your security posture in Azure, but it requires a premium Azure AD subscription level, so it may not be affordable for non-enterprise users. In those cases, I would recommend having separate accounts for dev and ops roles to reduce the potential impact of a compromised dev account.

To summarize: Azure PIM is a useful tool in the Swiss cheese of security, and it can help you limit your exposure to risks in Azure.

To learn more about Azure PIM, check out the official Microsoft Docs here: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/

Thats all for this time.

// Nils Henrik

Tags:

Categories:

Updated:

You May Also Enjoy