You first need to configure AzureAD PIM – see my former post How to setup Azure AD Privileged Identity Management (PIM)
In this post I will show how to use AzureAD PIM to give temporary Global Admin Access to a user. There is different build-in privileged roles:
AdHoc License Administrator
Emain Verified User Creator
Partner Tier1 Support
Partner Tier2 Support
Privileged Role Administrator
SharePoint Service Administrator
Skype for Business Administrator
Workplace Device Join
How to assign a user a privileged role
Select Global Administrator
Select Add to find a user in the AzureAD
- Search your user
- Select your user
- Select Done
And now my email@example.com is eligible to request temporary Global Admin Access
Now how does a user request his temporary Global Admin:
First login to the https://portal.azure.com
Start the Privileged Identity management
Select Global Administrator – Request activation
The first time you need verify your permission to PIM (remember that the your needs a Azure AD Premium license for this)
Setup this account for additional security verification
I selected “Call me” – the Azure Phone service is calling my phone when I select Contact me
I answer my phone and press #
Then I can select Done
Now I have access to Activate my request to be a temporary Global Admin
The enter a reason for role activation
Because I have change the default expiration time from 1 hour to 8 hours I now have Global Admin rights in 8 hours
Then for the next 8 hours I can login to https:portal.office.com with global admin rights
How does this looks like from a Admin perspective:
We need to be able to track who, when and why a users have gained Privileged Access.
Login to http//portal.azure.com as you PIM administrator.
Look at your global Admin’s then you can see that a new user have access and have a expiration time.
Select Audit history at the front page of the PIM service
Then you can see that the user have requested temporary global admin rights and the reason why.
I will be a back with more post about PIM at a later point.
Remember that this is Just-In-Time admin access – this is a very secure way only to have admin access when is it needed. So if the credentials are compromise then it is only a normal user.