Create PAM (Privileged Access Management) Mobile Apps with PowerApps

Maybe you already read my last blog post about using PowerApps for Microsoft Identity Manager where you find a definitions file for the Lithnet RestAPI for MIM to create a custom API for PowerApps. If not, please do so for some basic information’s.

I also will present the MIM and PAM PowerApps solution with some detailed information on the next MIM Team User Group meeting on June 15.

This time I give to all of you the swagger JSON definition file for the Privileged Access Management (PAM) RestAPI around with a demo PowerApp.

The swagger JSON and YAML files contains all the API calls that PAM provides, so you can do the following:

  • Get a list of all PAM roles you are a candidate for
  • Get the PAM role request history
  • Request a PAM role and also Cancel your request before TTL exceeds
  • Get a list of all PAM role requests you should approve
  • Approve of Reject a PAM role request

Since PowerApps is still a preview feature you might have some issues like I have, but I was able to test all scenarios mentioned above.
Read more of this post

Privileged Access Management: PAM roles with time span and future requests (Part 2)

Yesterday I wrote a blog post on how to setup PAM role with approvals in Privileged Access Management of Microsoft Identity Manager 2016.

Here is part 2 where I will be covering the following features:

  • PAM role with time span limits (e.g. 08:00 to 17:00)
  • PAM role with a specific request time (requests in future)

Note:
First make sure that the server running PAM components and the MIM service/portal have the correct time zone setting. You can check that in MIM portal under: Administration -> Portal Configuration -> Timezone

 

Currently the time restrictions are only working on time values not dates, so you cannot exclude weekend days for example. Only restrictions like 8:00 to 17:00 (or 8:00 am to 5:00 pm) are possible.

The supported way to set a time span rule on a PAM role is through PowerShell:

Import-Module MIMPAM
$pamrole = Get-PAMRole "SQLAdmins"
Set-PAMRole -Role $pamrole -AvailabilityWindowEnabled $true -AvailableFrom "08:00" -AvailableTo "17:00"

Read more of this post

Privileged Access Management: PAM roles with approvals (Part 1)

Well, here is some more information from playing with my Privileged Access Management (PAM) demo lab of MIM 2016

Looking a little bit under the surface you will see there are some more options you can set on PAM roles, like the following:

  • RAM roles with approvals
  • PAM roles with a valid time span (e.g. 8:00 to 17:00)
  • PAM roles with Azure MFA authentication
  • PAM roles requesting in the future (e.g. Role request for tomorrow)

This part is regarding PAM roles with approvals, there will be more posts regarding the other options in the near future.

Read more of this post

Privileged Access Management: List all active pam requests

I’ve recently worked in my demo lab with Microsoft Identity Manager 2016 (MIM) feature called Privileged Access Management (PAM) to prepare for workshops and a first implementation at a customer.

One thing that came to my mind was, how I can enable PAM Admins to see a list of all currently active PAM requests on the system.

Option 1 is to use PowerShell from the MIMPAM Module to get an overview:

Get-PAMUser | Get-PAMRequest –Active

Quite simple, right?

But I want some graphical version and since the good “old” MIM portal is also present in that scenario I tried to figure out on how to search only “Active” roles/requests.

Read more of this post

Just in Time Administration (JIT) in Azure AD Premium for Preview

Seems that the new MIM 2016 feature called PAM (Privileged Access Management) found its way into Azure AD Premium also.
In Azure AD Premium this is called PIM (Privileged Identity Management).

See the following accouncment on the Alex Technet AD Blog:
http://blogs.technet.com/b/ad/archive/2015/05/04/azure-cloud-app-discovery-ga-and-our-new-privileged-identity-management-service.aspx

You can also have a quick look into this with whis video on Channel 9:
http://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/Azure-AD-Privileged-Identity-Management

Read more of this post

%d bloggers like this: