This content is part of the Essential Guide: How to deal with Identity and access management systems

Essential Guide

Browse Sections

How does privileged identity management work in Azure Active Directory?

Organizations that assign privileged access to certain users can lose track of who has access to what. Privileged user monitoring ensures users comply with corporate policies.

Not every user is equal. Some user accounts have a large number of rights and privileges -- these are usually administrators. While organizations look to privileged users for administrative and managerial support activities, it's important to realize that privileged users are not infallible. They make mistakes. They can be malicious. They are also subject to hacking or identity theft that can leave a business vulnerable to enormous disruption. This makes it vital to provide oversight for high-level users.

Microsoft Azure Active Directory Privileged Identity Management allows the business to identify, monitor and manage privileged user identities and their access to sensitive business resources in AD and online/cloud services.

Privileged identity management (PIM) identifies privileged users and watches over their activities to ensure those activities are logged and consistent with established policies. For example, it may be necessary to provide a sizable number of users with permanent privileged access to resources such as Azure subscriptions, Office 365 and other local or SaaS tools. But even though a single trusted administrator might assign those rights in good faith, it's often difficult -- even impossible -- to remember who has access to what later on. And such lapses of monitoring and control can expose security vulnerabilities, possibly exposing the business to compliance violations.

Microsoft Azure Active Directory Privileged Identity Management (AD PIM) allows the business to identify, monitor and manage privileged user identities and their access to sensitive business resources in AD and online/cloud services. Azure AD PIM can discover which users have administrative access to Azure AD, report administrative access history, produce alerts about access or changes in administrative assignments, and even provide temporary -- just in time -- access to AD resources for users that need to complete a one-off or temporary task that demands AD access.

Azure AD PIM has default management for built-in AD roles including global, billing, service, user and password administrator roles. Azure AD PIM is managed through the Azure portal where a dashboard provides PIM details such as access history for the administrator, the number of temporary and permanent administrators, and the number of users with each privileged role. Only a global administrator can enable PIM for a directory.

Active Directory forms the cornerstone of enterprise identity and privileged user management. With its venture into the public cloud with Azure, it follows that Active Directory technology will remain central to Microsoft Azure in the form of Azure AD. Local and cloud AD platforms can exist independently, but new tools such as Azure AD Connect are emerging to stitch both realms together. This can form a seamless and cohesive hybrid AD environment which is also poised to leverage AD federation and enable single sign-on capabilities across organizational boundaries -- extending the reach of AD even further.

Next Steps

Restrict user access with JEA

Azure AD manages end-user identity

Get started with Microsoft Identity Manager 2016

Dig Deeper on Microsoft identity and access management