Identity Driven Security Privileged Identity Management With Azure AD Privileged Identity Management, you can manage, control, and monitor access within your organization. This includes access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune. This demo shows how a Global Administrator can grant a super user elevated access for a limited period. The Azure AD Privileged Identity Management console in the Azure Portal provides important information such as: Alerts that point out opportunities to improve security The number of users assigned to each privileged role The number of eligible and permanent admins Ongoing access reviews CLICK STEP(S) Click anywhere on the slide to begin

CLICK STEP(S) Click on the Azure AD Privileged Identity Management tile.

CLICK STEP(S) Click Manage privileged roles.

Point out: Alerts and Role Summary. Contoso has a number of permanent Global Admins. They have full access and control over the directory and the Office 365 tenant all the time. That leaves Contoso compromised and open to malicious attacks all the time. With Privileged Identity Management Contoso can decide who should have permanent access and who should just have temporary access when required. CLICK STEP(S) Under Role summary, click the Global Administrator role.

Isaiah does not need permanent admin access so the admin sets him to eligible. CLICK STEP(S) In the Global Administrator blade, click Isaiah Langer.

Eligible admins are users that need privileged access now and then, but not every day. The role is inactive until Isaiah needs access, then he completes an activation process and becomes an active admin for a predetermined amount of time CLICK STEP(S) On the right, click Make eligible.

CLICK STEP(S) Click the X to close the notification.

CLICK STEP(S) On the Global Administrator top navigation bar, click Settings.

Point out: Maximum Activation duration slider. The admin can also configure the nature of the admins access, how long it lasts and any notification or if additional authentication is needed. Note that for certain high privileged roles, MFA is always enabled. CLICK STEP(S) Under the Notifications section, click Enable.

CLICK STEP(S) Click Save.

Now that Isaiah is eligible to activate administrative rights, let’s see what the experience looks like for him. CLICK STEP(S) In the upper right corner of the browsing session, click the minimize button.

When Isaiah is made eligible he receives an email notification that he can now activate a privileged role. Here you can see the email invitation that Isaiah received when he was made eligible. When he needs higher privileges for a specific task, he can go in to the Privileged Identity Management in the Azure portal and request activation for the role. CLICK STEP(S) On the right of the email message, click the scroll bar to scroll down.

CLICK STEP(S) In the email, click on the Azure Portal link. Click on the Azure Portal link in the email.

As MFA is required for the Global Administrator role which Isaiah is eligible for, he would be prompted to set up verification of his identity using Multi-Factor Authentication if he has not already configured it. CLICK STEP(S) Click the Privileged Identity Management tile.

Isaiah can now activate the request. CLICK STEP(S) Click Global Administrator.

CLICK STEP(S) In the top navigation, click Activate.

Isaiah has to provide a business justification, which is logged for auditing. CLICK STEP(S) Click in the Reason for role activation text box.

CLICK STEP(S) Click OK.

Isaiah is auto-approved for the requested access with an expiration time configured for that role. CLICK STEP(S) Click Activate my roles.

Point out: Access valid till on the Global Administrator tile. Now that Isaiah has activated the role, let’s see how this is reflected in the Audit History. CLICK STEP(S) In the upper right corner of the browsing session, click the minimize button.

Back in our global administrators portal, we can track the changes in privileged role assignments and role activation history. CLICK STEP(S) On the Manage privileged roles blade, click Audit history.

Point out: the business justification entered above, which is displayed in the Reasoning column. The admin can see Isaiah requested access as a Global Administrator and the reasoning given. This information can be critical for auditing and forensic investigations. Closing remarks: With Azure Active Directory Privileged Identity Management, you can manage, control, and monitor access within your organization. This includes access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune. Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious user getting that access. However, users still need to carry out privileged operations in Azure, Office 365, or SaaS apps. Organizations give users privileged access in Azure AD without monitoring what those users are doing with their admin privileges. Azure AD Privileged Identity Management helps to resolve this risk. Azure AD Privileged Identity Management helps you: See which users are Azure AD administrators Enable on-demand, "just in time" administrative access to Microsoft Online Services like Office 365 and Intune Get reports about administrator access history and changes in administrator assignments Get alerts about access to a privileged role CLICK STEP(S) Click anywhere on the slide to end the presentation.