课程: Microsoft Security Essentials: Concepts, Solutions, and AI-Powered Protection

Microsoft Entra Privileged Identity Management (PIM) - Microsoft Security Copilot教程

课程: Microsoft Security Essentials: Concepts, Solutions, and AI-Powered Protection

Microsoft Entra Privileged Identity Management (PIM)

- [Instructor] Microsoft Entra Privileged Identity Management or PIM helps organizations reduce the risk of excessive or misused access to critical resources. Privileged roles like admin and owner have high-level access permissions to important resources in your organization. If these accounts are compromised or misused, it can cause significant damage to your business. So how do we manage the risk of too much or unnecessary access? That's where Privileged Identity Management comes into play. Microsoft Entra Privileged Identity Management can manage roles in Microsoft Entra like global administrator, user administrator, or billing administrator, roles in Azure, like owner, contributor, and user access administrator, and also make groups eligible for role assignments. Microsoft Entra Privileged Identity Management or PIM offers some key capabilities, such as just in time or JIT access. It means users get temporary access permissions only when they need to do some privileged operations like changing account information. Approval and a justification can be required for activating privileged roles. Time-bound, it means users can only use a privileged role within a defined time window. Visibility, it refers to notifying relevant parties when the privileged role is activated. An audit is available for track access history. The general workflow of Privileged Identity Management starts with admins assign eligible roles to users for resource access. Users activate eligible roles before performing privileged tasks. Reviewers approve or deny role activation requests. Before the role assignment expires, the user can request to extend it. If it has already expired, the user can request to renew it. And the history of privileged role assignments and activations is audited. Now, let's look at Privileged Identity Management. in Microsoft Entra admin center. I can assign eligibility for Microsoft Entra roles. Click Add assignments. Select a role. For example, application developer. Select a member. Then I can assign this privileged role to this member. I can activate my privileged role when I need it. This is known as just in time access. Click Activate your role. For my role, application administrator, I can click Activate. Enter duration, for example, eight hours. Provide the activation reason, for example, for demo, then click Activate. Admins can approve activation requests. And we can audit the history of assignments and activations.

内容