Ok, this is not a regular blog post, instead allow me a little advertising for the company I’m currently working for.
At ExpertCircle GmbH we have made BYOK available as a service for customers who wants to use Azure Key Vault and encrypt their data with their own keys.
So if you are need to use BYOK in Azure and don’t want to purchase your own HSM module and train people in how to use it correctly you can find more information here:
Since we are located in Germany and this service will bring the need to meet in person the offering is in german language but will maybe also be interesting for other countries around us.
Yesterday I wrote a blog post on how to setup PAM role with approvals in Privileged Access Management of Microsoft Identity Manager 2016.
Here is part 2 where I will be covering the following features:
- PAM role with time span limits (e.g. 08:00 to 17:00)
- PAM role with a specific request time (requests in future)
First make sure that the server running PAM components and the MIM service/portal have the correct time zone setting. You can check that in MIM portal under: Administration -> Portal Configuration -> Timezone
Currently the time restrictions are only working on time values not dates, so you cannot exclude weekend days for example. Only restrictions like 8:00 to 17:00 (or 8:00 am to 5:00 pm) are possible.
The supported way to set a time span rule on a PAM role is through PowerShell:
$pamrole = Get-PAMRole "SQLAdmins"
Set-PAMRole -Role $pamrole -AvailabilityWindowEnabled $true -AvailableFrom "08:00" -AvailableTo "17:00"
Continue reading “Privileged Access Management: PAM roles with time span and future requests (Part 2)”
Well, here is some more information from playing with my Privileged Access Management (PAM) demo lab of MIM 2016
Looking a little bit under the surface you will see there are some more options you can set on PAM roles, like the following:
- RAM roles with approvals
- PAM roles with a valid time span (e.g. 8:00 to 17:00)
- PAM roles with Azure MFA authentication
- PAM roles requesting in the future (e.g. Role request for tomorrow)
This part is regarding PAM roles with approvals, there will be more posts regarding the other options in the near future.
Continue reading “Privileged Access Management: PAM roles with approvals (Part 1)”
I’ve recently worked in my demo lab with Microsoft Identity Manager 2016 (MIM) feature called Privileged Access Management (PAM) to prepare for workshops and a first implementation at a customer.
One thing that came to my mind was, how I can enable PAM Admins to see a list of all currently active PAM requests on the system.
Option 1 is to use PowerShell from the MIMPAM Module to get an overview:
Get-PAMUser | Get-PAMRequest –Active
Quite simple, right?
But I want some graphical version and since the good “old” MIM portal is also present in that scenario I tried to figure out on how to search only “Active” roles/requests.
Continue reading “Privileged Access Management: List all active pam requests”
just a short post today.
I thgought it might be a good idea to share more scripts in future, so here is the first one to assign Azure/O365 licenses based on AD group membership.
EMS/AADP and RMS licenses can also be assigned directly in Azure using group memberships but you still have to handle O365 licenses by your own with scripts.
So at some customers I have the reqirement to also manage O365 licenses after synchronizing objects with AADConnect, so I decided to manage all licenses with script.
This script still need some improvement in security (PW stored in file) but you can modify that like you want.
Also I do not cover License Option of O365 Licenses, instead the complete O365 features will be assigned.
Continue reading “Assign Azure/O365 licenses based on AD group membership”