Consulting with a Conscience™

A cruciallogics blog

Written by Omar Rbati
on June 15, 2023

In today's cloud-based environment, organizations must manage access to critical resources and data across multiple platforms and services. However, granting permanent admin access to users poses significant security risks and challenges. How can organizations ensure that only the right people have the right access at the right time?


One solution is to use just-in-time (JIT) privileged identity and access management (PIM/PAM). PIM is a Microsoft Azure service that enables organizations to control, monitor, and audit access to important resources in Azure. Similarly, PAM enables the same capabilities in Microsoft 365 and other Microsoft Online Services. With JIT, organizations can:


- Provide temporary access to privileged roles based on time-bound and approval-based policies

- Enforce multi-factor authentication and justification for activating any role

- Receive notifications and alerts when privileged roles are activated or requested

- Conduct access reviews and audits to verify that users still need their roles

- Prevent unauthorized or malicious use of privileged access by reducing the attack surface and exposure time


Just in Time access is especially useful for managing access to SaaS cloud resources, such as Microsoft 365 and Azure.


Azure PIM helps you reduce the risk of unauthorized or malicious admin access to your Azure AD roles and subscription resources by minimizing the number of permanent administrators and providing just-in-time access when needed.


Azure Privileged Identity Management (PIM) is a service that allows you to manage the access and permissions of users and groups to Azure resources. One of the features of PIM is that it supports both built-in and custom Azure AD roles. These roles define what actions users can perform on Azure AD resources, such as creating and managing applications, users, groups, domains, etc.


To assign an Azure AD role to a user or group using PIM, you need to be a member of the Privileged role administrator role. You can then use the Azure portal or the Microsoft Graph API to make permanent or eligible role assignments. A permanent role assignment gives the user or group the role permissions at all times. In contrast, an eligible role assignment requires them to activate the role when needed, and their permissions expire after a specified period.


You can also restrict the scope of the role permissions to a specific admin unit, service principal, or application. This way, you can limit the impact of a user or group's actions on Azure AD resources. For example, you can assign a user the Application administrator role for a specific application only to manage that application but not other applications in your tenant.


Azure PIM also provides features such as multi-factor authentication (MFA), business justification, and approval workflows to enhance the security and governance of your Azure AD roles. You can monitor and audit the role assignments and activations using PIM reports and alerts.


Microsoft 365 Privileged Access Management (PAM) allows organizations to manage, control and monitor the access to sensitive data and configuration settings to Microsoft 365 workloads, such as Exchange Online, SharePoint Online, Teams, and more.


With PAM, you can create policies that require users to request just-in-time access to perform elevated and privileged tasks, such as configuring spam filter policies in Exchange Online. The requests are then approved or denied by a designated approver group, which you can create and manage in the Microsoft 365 admin center or Exchange Management PowerShell. PAM helps you protect your organization from breaches that use existing privileged admin accounts with standing access and provides audit logs of all the activities performed by the users who obtained access through PAM.


PAM can help you improve the security and compliance of your organization by reducing the risk of unauthorized or malicious actions, enforcing the principle of least privilege, and increasing the visibility and accountability of your privileged users. PAM can also help you simplify the management of your permissions and reduce the administrative overhead of maintaining multiple accounts or credentials.


By using a combination of Just in Time Privileged Microsoft 365 and Azure Lighthouse access, organizations can:


- Simplify cross-tenant management and governance by using a single identity provider and portal

- Reduce operational costs and complexity by eliminating the need for permanent admin accounts and credentials

- Enhance security and compliance by applying consistent policies and standards across tenants

- Improve visibility and accountability by tracking and reporting on all privileged activities


Microsoft 365 PAM and Azure PIM are powerful tools for securing and streamlining access to SaaS cloud resources. By implementing Just in Time Privileged, organizations can reduce the risks and challenges associated with permanent admin access while enabling users to perform their tasks efficiently and effectively.


Connect with any of our expert team if you have any questions or would like assistance using Just In Time Privledged.


You may also like:

Active Directory Business Applications

The 5 Hidden Costs of Postponing a Migration

One of the biggest challenges you can face is ensuring that everything within your company is up-to-date and secure. Whe...

IAM Active Directory

The Many Benefits of Microsoft Entra

Microsoft 365 and Azure AD (recently rebranded to MS Entra ID) are two powerful solutions that help organizations manage...

Active Directory Data Security

Expert Tips To Keep Your Cloud Data And Identity Safe

Cloud computing has revolutionized the way we work, collaborate and access information. However, it also comes with new ...