Not every user is equal. Some user accounts have a large number of rights and privileges -- these are usually administrators. While organizations look to privileged users for administrative and managerial support activities, it's important to realize that privileged users are not infallible. They make mistakes. They can be malicious. They are also subject to hacking or identity theft that can leave a business vulnerable to enormous disruption. This makes it vital to provide oversight for high-level users.
Privileged identity management (PIM) identifies privileged users and watches over their activities to ensure those activities are logged and consistent with established policies. For example, it may be necessary to provide a sizable number of users with permanent privileged access to resources such as Azure subscriptions, Office 365 and other local or SaaS tools. But even though a single trusted administrator might assign those rights in good faith, it's often difficult -- even impossible -- to remember who has access to what later on. And such lapses of monitoring and control can expose security vulnerabilities, possibly exposing the business to compliance violations.
Microsoft Azure Active Directory Privileged Identity Management (AD PIM) allows the business to identify, monitor and manage privileged user identities and their access to sensitive business resources in AD and online/cloud services. Azure AD PIM can discover which users have administrative access to Azure AD, report administrative access history, produce alerts about access or changes in administrative assignments, and even provide temporary -- just in time -- access to AD resources for users that need to complete a one-off or temporary task that demands AD access.
Azure AD PIM has default management for built-in AD roles including global, billing, service, user and password administrator roles. Azure AD PIM is managed through the Azure portal where a dashboard provides PIM details such as access history for the administrator, the number of temporary and permanent administrators, and the number of users with each privileged role. Only a global administrator can enable PIM for a directory.
Active Directory forms the cornerstone of enterprise identity and privileged user management. With its venture into the public cloud with Azure, it follows that Active Directory technology will remain central to Microsoft Azure in the form of Azure AD. Local and cloud AD platforms can exist independently, but new tools such as Azure AD Connect are emerging to stitch both realms together. This can form a seamless and cohesive hybrid AD environment which is also poised to leverage AD federation and enable single sign-on capabilities across organizational boundaries -- extending the reach of AD even further.
Restrict user access with JEA
Azure AD manages end-user identity
Get started with Microsoft Identity Manager 2016