You first need to configure AzureAD PIM – see my former post How to setup Azure AD Privileged Identity Management (PIM)

In this post I will show how to use AzureAD PIM to give temporary Global Admin Access to a user. There is different build-in privileged roles:

AdHoc License Administrator
Billing Administartor
Compliance Administartor
Directory Readers
Directory Writers
Emain Verified User Creator
Exchange Administrator
Global Administrator
Mailbox Administrator
Partner Tier1 Support
Partner Tier2 Support
Password Administrator
Privileged Role Administrator
Security Administrator
Security Reader
Service Administrator
SharePoint Service Administrator
Skype for Business Administrator
User Administrator
Workplace Device Join

 

How to assign a user  a privileged role

Select Global Administrator

GlobalAdmin PIM 1

Select Add to find a user in the AzureAD

GlobalAdmin PIM 2

Select Users

GlobalAdmin PIM 3

  1. Search your user
  2. Select your user
  3. Select Done

GlobalAdmin PIM 4

And now my globaladmin@osddeployment.dk is eligible to request temporary Global Admin Access

GlobalAdmin PIM 5

 

Now how does a user request his temporary Global Admin:

First login to the https://portal.azure.com

Start the Privileged Identity management

Select Global Administrator – Request activation

Request GlobalAdmin 1

The first time you need verify your permission to PIM (remember that the your needs a Azure AD Premium license for this)

Request GlobalAdmin 2

Setup this account for additional security verification

Request GlobalAdmin 3

I selected “Call me” – the Azure Phone service is calling my phone when I select Contact me

Request GlobalAdmin 4

I answer my phone and press #

Then I can select Done

Request GlobalAdmin 5

Now I have access to Activate my request to be a temporary Global Admin

Request GlobalAdmin 6

The enter a reason for role activation

Select Ok

Request GlobalAdmin 7

Because I have change the default expiration time from 1 hour to 8 hours I now have Global Admin rights in 8 hours

Request GlobalAdmin 8

Then for the next 8 hours I can login to https:portal.office.com with global admin rights

Request GlobalAdmin 9

How does this looks like from a Admin perspective:

We need to be able to track who, when and why a users have gained Privileged Access.

Login to http//portal.azure.com as you PIM administrator.

Look at your global Admin’s then you can see that a new user have access and have a expiration time.

Inside my Management view 1

Select Audit history at the front page of the PIM service

Inside my Management view 2

Then you can see that the user have requested temporary global admin rights and the reason why.

Inside my Management view 3

I will be a back with more post about PIM at a later point.

Remember that this is Just-In-Time admin access – this is a very secure way only to have admin access when is it needed. So if the credentials are compromise then it is only a normal user.