introduction
in previous article we have seen how to configure PIM eligible assignment
this article : we will discuss new aspect of PIM which is time-bound assignment
time-bound assignment
time-bound assignment concepts is assign privileged role for user for specific time ( for example 3 months ) ‘but this time : user is activated for all time period ( 3 month ) , and there is NO need to activate user role when need it
of course this PIM approach is MORE risky than eligible privileged role
but some times we can use this aspect
Just-In-Time vs Time-Bound
Azure resource assignment types are either eligible for just in time or active for time-bound access.
- Just-in-time access works for both Azure AD directory roles and Azure resources,
- while time-bound access only works with Azure resources.
- Just-in-time requires an eligible admin to activate his role,
- while in time-bound access, there is no activation and the role is active for a duration of time.
- when access is needed for a short time now and then, then you can use just in time.
- However, when access is needed during a change window or a maintenance window, when you know the start and end time, then you can use time-bound access.
- work approval could be configured with ust in time.
- BUT could NOT be configured on time-bound access : simply the role is activated all time period ( 3 months for example )
assign time bound role
to assign time-bound ( active assignment ) role to user
login to azure portal as PIM admin ( bisan@pioneers101.onmicrosoft.com )
then search for PIM >> manage >> role >> select your resource ( for example exchange )
here is crossroad
instead of select eligible >> select active for 2 weeks >> which means that these users will be active for ALL two weeks
verify time bound assignment
we can verify active assignment by :
- open PIM >> role >> eligible assignment >> there is NO result
- but active assignment have two users
- also we will recive email for new active assignment as part of notification process
remove active assigment
even that users assignemtn don’t need activation to tale action :
BUT
still we can remove users from admin role
if he suspend or quit or even went for vacation for example
permanent active assignment
Azure resource assignment could be :
- eligible for just in time which need activation before use admin role ( more safe)
- or active for time-bound access. ( which don’t need activation before use admin role ( more risky )
each approach have specific situation for use
there is another aspect : which is active permanent assignment
using this approach is highest risky than above two and look like we do NOT have PIM at all : because it’s NOT limited to time or even activation process
conclusion
Azure resource assignment could be :
- eligible for just in time which need activation before use admin role ( more safe)
- or active for time-bound access. ( which don’t need activation before use admin role ( more risky )
or permanent active assignment which is highest risky because it’s NOT limited to time or even activation process
