Finally, 2 or 3 weeks ago (I think) Microsoft has implemented a new Azure AD blade most admins awaited a long time. It’s the “Roles and Administrator” overview with some additional information on what permissions those roles are given.
You don’t need to leverage PowerShell any more to get a list of all your Azure AD admins and which roles they are in. Privileged Identity Management has that listing since a long time but requires an AAD P2 license. The new feature is available for all customers incl. AAD Free.
Go to the Azure AD blade and you find the new experience called “Roles and Administrators”
Continue reading “Azure AD: New roles and administrator blade”
Yesterday I wrote a blog post on how to setup PAM role with approvals in Privileged Access Management of Microsoft Identity Manager 2016.
Here is part 2 where I will be covering the following features:
- PAM role with time span limits (e.g. 08:00 to 17:00)
- PAM role with a specific request time (requests in future)
First make sure that the server running PAM components and the MIM service/portal have the correct time zone setting. You can check that in MIM portal under: Administration -> Portal Configuration -> Timezone
Currently the time restrictions are only working on time values not dates, so you cannot exclude weekend days for example. Only restrictions like 8:00 to 17:00 (or 8:00 am to 5:00 pm) are possible.
The supported way to set a time span rule on a PAM role is through PowerShell:
$pamrole = Get-PAMRole "SQLAdmins"
Set-PAMRole -Role $pamrole -AvailabilityWindowEnabled $true -AvailableFrom "08:00" -AvailableTo "17:00"
Continue reading “Privileged Access Management: PAM roles with time span and future requests (Part 2)”