Privileged Identity Management (PIM) Governance Requirements

Quick Links: | Overview | Privileged Entra Roles | Entra Roles | Low-risk Entra RolesManaged Groups | 

Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Microsoft Entra ID, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune

PIM Governance Overview

At Chico State, the Division of IT has classified certain roles as Privileged Entra Roles, Entra Roles, and Low-Risk Entra Roles.  The PIM restriction are greater on higher privileged roles, and on low-risk roles, active assignments are permitted.

When access to a role is granted, the user will be placed into a m365 Group.  This group will have a semi-annual review cycle where the owner for the group is required to verify that the PIM groups are appropriately populated.  If this is not completed before the deadline, access will be removed.

This article does not cover usage of PIM, which can be found here

The following restrictions must be true for all Entra Roles:

  • Entra Roles are only granted to -admin accounts
  • A PIM Approver must not be the same account as the PIM Requestor
Image of Privileged Identity Management Overview

Privileged Entra Roles

Privileged roles have the following PIM restrictions:

4 Hour Duration
Requires Admin Account
Requires MFA
Requires Staff Approval
Requires Notification

The following roles have been identified as Privileged Entra Roles:

Global Admin/Reader
Security Admin
Intune Admin
User Admin
SharePoint Admin
Teams Admin
Security Reader/Operator

Entra Roles

Entra Roles have the following restrictions:

4 Hour Duration
Requires Admin Account
Requires MFA
Requires Staff Approval
Requires Notification

All Entra Roles that are not Privileged or Low-Risk are required to comply with these PIM policies.

Low-Risk Entra Roles

Low-Risk Entra Roles are considered to have minimal access and do not require PIM.

Low-Risk Entra Roles are considered to be:

Billing Administrator
Service Support Administrator

Managed Groups

Managed Groups
Purpose Type Group Naming Convention Example
Members are eligible -admin accounts M365 Role-assignable Security o365-pim-role-<Dept>-<RoleName> o365-pim-role-esys-GlobalAdministrator
Members are accounts who would approve requests AD Security o365-pim-approvers-<Dept>-<RoleName> o365-pim-approvers-esys-GlobalAdministrator
Members are accounts who should be notified on role activation AD Security o365-pim-notify-<Dept>-<RoleName> o365-pim-notify-esys-GlobalAdministrator

Semi-annual Access Review

The need for access to privileged Azure resources and Microsoft Entra roles by our users changes over time. To reduce the risk associated with stale role assignments, we will be regularly reviewing access of the M365 role assigned group members.

Image of Semi-annual Access Review Process

 

Still need help? If you run into problems or still need help, reach out to the esys-cloud@csuchico.edu

Print Article

Details

Article ID: 113945
Created
Tue 6/11/24 1:24 PM