Privileged Identity Management Preview Update Released
Microsoft this month added additional tools and features to Azure Active Directory (AD) Privileged Identity Management.
The Privileged Identity Management preview is an emerging Microsoft service that lets organizations control IT personnel administrative access to Azure AD-managed resources. The preview has been updated with a few new features. For instance, it now has a security wizard that offers recommendations based on an "organization's specific security configuration," according to Microsoft's announcement.
Another addition to the preview is an updated security dashboard, plus security alerts regarding privilege changes. There's a "fix button" to roll back any unwanted privilege changes.
Microsoft added a new "workload-specific admin roles" specification that provides greater control over access privileges. Microsoft's example of this capability was granting SharePoint Online administrative access, but not administrative access to other Office 365 workloads.
A multifactor authentication option has been added to the preview. Multifactor authentication is a secondary identity verification process on top of passwords. Organizations can now require multifactor authentication when setting up privileged roles.
Lastly, Microsoft added a "security review" capability to the preview. It's a process by which IT pros are periodically asked to recertify their access privileges.
Microsoft first unveiled this Privileged Identity Management preview back in May, explaining that it adds control over Azure AD administrator roles for services such as Microsoft Intune, Office 365 services and Azure SaaS apps. It's a feature addition to Azure AD Premium subscriptions, which cost $6 per user per month.
The Privileged Identity Management preview service currently works with the Azure preview portal, which provides a dashboard view. It uses color-coded rankings of security risks, based on things like the number of access privileges assigned (too many is considered to be a bad security practice). Global administrators can set up temporary or "just-in-time" access privileges, if wanted. IT pros, for their part, can request access to resources for approval under the system, but global administrators have control over the access.
Microsoft also has a different service that's free called Azure Role-Based Access Control. The Azure Role-Based Access Control service also works with the Azure preview portal to control user access, but it appears to be a more general tool, whereas the Privileged Identity Management preview is specifically designed to be set up by a global administrator in an IT organization to control administrative access privileges by IT personnel over time.
The idea behind the Privileged Identity Management tool is that IT pros "have become a high-value target for attackers," Microsoft explained back in its May announcement. Microsoft's tool is designed to set up alerts should anything unexpected change regarding access privileges.
The Privileged Identity Management service might be used by larger organizations, perhaps, but the idea that IT pros are targeted isn't paranoia. Even the U.S. National Security Agency is said to target system administrators, according to NSA documents leaked by Edward Snowden.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.