Privileged Access Management: PAM roles with time span and future requests (Part 2)

Yesterday I wrote a blog post on how to setup PAM role with approvals in Privileged Access Management of Microsoft Identity Manager 2016.

Here is part 2 where I will be covering the following features:

  • PAM role with time span limits (e.g. 08:00 to 17:00)
  • PAM role with a specific request time (requests in future)

Note:
First make sure that the server running PAM components and the MIM service/portal have the correct time zone setting. You can check that in MIM portal under: Administration -> Portal Configuration -> Timezone

 

Currently the time restrictions are only working on time values not dates, so you cannot exclude weekend days for example. Only restrictions like 8:00 to 17:00 (or 8:00 am to 5:00 pm) are possible.

The supported way to set a time span rule on a PAM role is through PowerShell:

Import-Module MIMPAM
$pamrole = Get-PAMRole "SQLAdmins"
Set-PAMRole -Role $pamrole -AvailabilityWindowEnabled $true -AvailableFrom "08:00" -AvailableTo "17:00"

Read more of this post

Privileged Access Management: PAM roles with approvals (Part 1)

Well, here is some more information from playing with my Privileged Access Management (PAM) demo lab of MIM 2016

Looking a little bit under the surface you will see there are some more options you can set on PAM roles, like the following:

  • RAM roles with approvals
  • PAM roles with a valid time span (e.g. 8:00 to 17:00)
  • PAM roles with Azure MFA authentication
  • PAM roles requesting in the future (e.g. Role request for tomorrow)

This part is regarding PAM roles with approvals, there will be more posts regarding the other options in the near future.

Read more of this post

Privileged Access Management: List all active pam requests

I’ve recently worked in my demo lab with Microsoft Identity Manager 2016 (MIM) feature called Privileged Access Management (PAM) to prepare for workshops and a first implementation at a customer.

One thing that came to my mind was, how I can enable PAM Admins to see a list of all currently active PAM requests on the system.

Option 1 is to use PowerShell from the MIMPAM Module to get an overview:

Get-PAMUser | Get-PAMRequest –Active

Quite simple, right?

But I want some graphical version and since the good “old” MIM portal is also present in that scenario I tried to figure out on how to search only “Active” roles/requests.

Read more of this post

Just in Time Administration (JIT) in Azure AD Premium for Preview

Seems that the new MIM 2016 feature called PAM (Privileged Access Management) found its way into Azure AD Premium also.
In Azure AD Premium this is called PIM (Privileged Identity Management).

See the following accouncment on the Alex Technet AD Blog:
http://blogs.technet.com/b/ad/archive/2015/05/04/azure-cloud-app-discovery-ga-and-our-new-privileged-identity-management-service.aspx

You can also have a quick look into this with whis video on Channel 9:
http://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/Azure-AD-Privileged-Identity-Management

Read more of this post

%d bloggers like this: