Yesterday I wrote a blog post on how to setup PAM role with approvals in Privileged Access Management of Microsoft Identity Manager 2016.
Here is part 2 where I will be covering the following features:
- PAM role with time span limits (e.g. 08:00 to 17:00)
- PAM role with a specific request time (requests in future)
First make sure that the server running PAM components and the MIM service/portal have the correct time zone setting. You can check that in MIM portal under: Administration -> Portal Configuration -> Timezone
Currently the time restrictions are only working on time values not dates, so you cannot exclude weekend days for example. Only restrictions like 8:00 to 17:00 (or 8:00 am to 5:00 pm) are possible.
The supported way to set a time span rule on a PAM role is through PowerShell:
$pamrole = Get-PAMRole "SQLAdmins"
Set-PAMRole -Role $pamrole -AvailabilityWindowEnabled $true -AvailableFrom "08:00" -AvailableTo "17:00"
Continue reading “Privileged Access Management: PAM roles with time span and future requests (Part 2)”
Well, here is some more information from playing with my Privileged Access Management (PAM) demo lab of MIM 2016
Looking a little bit under the surface you will see there are some more options you can set on PAM roles, like the following:
- RAM roles with approvals
- PAM roles with a valid time span (e.g. 8:00 to 17:00)
- PAM roles with Azure MFA authentication
- PAM roles requesting in the future (e.g. Role request for tomorrow)
This part is regarding PAM roles with approvals, there will be more posts regarding the other options in the near future.
Continue reading “Privileged Access Management: PAM roles with approvals (Part 1)”
I’ve recently worked in my demo lab with Microsoft Identity Manager 2016 (MIM) feature called Privileged Access Management (PAM) to prepare for workshops and a first implementation at a customer.
One thing that came to my mind was, how I can enable PAM Admins to see a list of all currently active PAM requests on the system.
Option 1 is to use PowerShell from the MIMPAM Module to get an overview:
Get-PAMUser | Get-PAMRequest –Active
Quite simple, right?
But I want some graphical version and since the good “old” MIM portal is also present in that scenario I tried to figure out on how to search only “Active” roles/requests.
Continue reading “Privileged Access Management: List all active pam requests”
Seems that the new MIM 2016 feature called PAM (Privileged Access Management) found its way into Azure AD Premium also.
In Azure AD Premium this is called PIM (Privileged Identity Management).
See the following accouncment on the Alex Technet AD Blog:
You can also have a quick look into this with whis video on Channel 9:
Continue reading “Just in Time Administration (JIT) in Azure AD Premium for Preview”