In this section, we will use Azure AD Premium P2 PIM to protect an administrative account in a quick intro.
Open https://portal.azure.com as [email protected] to start the configuration.
Click All Services and choose the Azure AD Privileged Identity Management.
Now, we need to Consent to PIM to use the service:
Privileged Identity Management - enablement
You will need to verify your identity and provide your preferred security verification option, as you can see in the following screenshot:
Azure MFA onboarding
Note
If you already use the Microsoft Authenticator App on your mobile device, you can also register the mobile app.
Finish the verification process and click Consent—proceed:
Consent to finish the initialization
Next, we sign up under Azure AD Roles, so that users can enable Azure AD roles. Click Sign up PIM for Azure AD Roles to activate the functionality:
Azure AD roles - PIM sign-up
Now that the feature is enabled, we can assign the roles to our users.
Click Assign eligibility to start the task:
Role assignment procedure
Click the Global Administrator Role, view the actual members, and add your test account to the role:
User assignment to a role
View the expected result:
New eligible user assigned to the role
Let's test our configuration by opening an InPrivate browser session; open https://portal.azure.com and log in with your own test account. Click All Services and choose Azure AD Privileged Identity Management. Choose My roles and activate the Global Administrator role for your account:
Role activation procedure
Next, you need to verify your identity. Follow the process, register, and verify your account. You need to complete the registration process just once:
Starting the verification process
After the registration and verification processes are finished, you can Activate your role:
Role activation
Provide a reason for your role activation. You will note that the role is limited for 1 hour and that you can define a custom activation time. Later in the book, we will configure different roles and features:
Activation options, such as Custom activation start time and Activation reason
Verify that your role is activated. You have successfully requested your Global Administrator role for the first time over Azure AD PIM. This is very useful so that high privileges are not permanently assigned to your account:
Active roles overview
We always recommend that you leave one Global Administrator permanently assigned, and that no Azure MFA is required to use the account. Use this account as a Breaking Glass account if the Azure AD PIM or MFA service is not available.
Next, we will configure user and group-based application access in Azure AD.