PIM : Configuring Time-bound Access

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Table of Contents

introduction

in previous article we have seen how to configure PIM eligible assignment 

this article : we will discuss new aspect of PIM which is time-bound assignment  

time-bound assignment

time-bound assignment concepts is assign privileged role for user for specific time ( for example 3 months ) ‘but this time : user is activated for all time period ( 3 month ) , and there is NO need to activate user role when need it 

of course this PIM approach  is MORE risky than eligible privileged role 

but some times we can use this aspect 

Just-In-Time vs Time-Bound

Azure resource assignment types are either eligible for just in time or active for time-bound access.

  • Just-in-time access works for both Azure AD directory roles and Azure resources,
  • while time-bound access only works with Azure resources.

 

  • Just-in-time requires an eligible admin to activate his role,
  • while in time-bound access, there is no activation and the role is active for a duration of time.

 

  • when access is needed for a short time now and then, then you can use just in time.
  • However, when access is needed during a change window or a maintenance window, when you know the start and end time, then you can use time-bound access.

 

  • work approval could be configured with ust in time. 
  • BUT could NOT be configured on time-bound access : simply the role is activated all time period ( 3 months for example ) 

assign time bound role

to assign time-bound ( active assignment ) role to user 

login to azure portal as PIM admin ( bisan@pioneers101.onmicrosoft.com ) 

then search for PIM >> manage >> role >> select your resource ( for example exchange ) 

 

currently two users eligible as exchange admin bit NON active
currently two users eligible as exchange admin bit NON active
currently two users eligible as exchange admin bit NON active >> add assignment
select member
we added another two users : bros and aziz

here is crossroad 

instead of select eligible >> select active for 2 weeks >> which means that these users will be active for ALL two weeks 

select active and time period until 15 -dec -2021
two users are active exchange admins for two weeks

verify time bound assignment

we can verify active assignment by : 

  • open PIM >> role >> eligible assignment >> there is NO result 
  • but active assignment have two users 
  • also we will recive email for new active assignment as part of notification process 
bisan receive email for Bros assignment
bisan receive email for aziz assignment
eligible role have no result but active assignment has two users
eligible role have no result but active assignment has two users

remove active assigment

even that users assignemtn don’t need activation to tale action : 

BUT 

still we can remove users from admin role 

if he suspend or quit or even went for vacation for example 

select remove
confirm
bros removed from exchange admin

permanent active assignment

Azure resource assignment could be : 

  • eligible for just in time which need activation before use admin role ( more safe)
  • or active for time-bound access. ( which don’t need activation before use admin role ( more risky )

each approach have specific situation for use 

there is another aspect : which is active permanent assignment

using this approach is highest risky than above two and  look like we do NOT have PIM at all : because it’s NOT limited to time or even activation process 

permanent active assignment

conclusion

Azure resource assignment could be : 

  • eligible for just in time which need activation before use admin role ( more safe)
  • or active for time-bound access. ( which don’t need activation before use admin role ( more risky )
  • or  permanent active assignment which is highest risky  because it’s NOT limited to time or even activation process 

Share this post
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

About Me

Our Power in Numbers

 17 

Courses

321

Articles

3,882

Images
and All configurations images are proudly made in Pioneers Lab

Articles By Course

Recent Articles

Subscribe

Contact us

have a challenge ? don’t hesitate to contact us