United Kingdom | Azure Privileged Access Groups

Chris Threlfall - 03.04.202320230403

Azure Privileged Access Groups

United Kingdom | Azure Privileged Access Groups

Privileged Access Groups (PAGs) in Azure Active Directory are a great way for administrators to manage access to sensitive resources, timed access, or elevation into certain privileged roles. 

IT administrators can easily set up and enforce authentication requirements for membership of these groups such as Multi Factor Authentication (MFA), a ticket / reference number, and an authorisation request review. The goal to provide users with the exact level of access needed to perform their job, for just enough time to undertake the specific task, rather than over assigning administrative roles or allowing permanent access after the need for it has passed (such as external contractors). 

By creating groups of users who are granted specific access rights, organisations can better manage and monitor access to sensitive resources. This helps to reduce the risk of unauthorized access or data breaches. 

It’s important to note that PAGs are not a replacement for regular user access control. They should be used in addition to regular access controls such as Conditional Access Policies and MFA

At Insentra we often require administrative access to a clients Azure tenant to complete project work, and companies vary wildly in their processes to grant and provide such access. So, we speak with some experience when we say that one of the most secure and straightforward ways to consistently provide this is with PAGs set up with a specific workflow and intent. 

What not to do

A contractor needs administrative access to your tenant to perform a review and redesign of your conditional access policies. This would include a discovery session and then an implementation and testing session. 

You assign the contractor the Global Administrator role in Azure AD by assigning it directly to their user account and allow them to get on with their work. You will remember to remove their role assignment and deactivate their account after the project is complete. 

Here is another way to approach the situation

Gather specific information from the 3rd party that will help to shape the access requirement: 

  • How long is this specific engagement scheduled to last? 
  • Does the contractor need to perform any changes during the discovery period? 
  • Are there any other tasks outside of creating the conditional access policies that the contractor needs to complete? 

Now we can build groups around the information gathered:

Creating Privileged access groups has two parts, a standard security group that contains the desired user accounts to receive the permissions and a Privileged Access Group that has the desired administrative role assigned. The membership rules of the PAG are then set to allow any users in the security group to be eligible, this allows you to easily manage who is eligible for the role and membership of the security group can even be controlled dynamically if desired. (for example, if a user has “External Contractor” as their job title in Azure AD, then they could automatically be included in the security group and would then be eligible to elevate into the privileged role assigned to the PAG that you have determined is a requirement for their specific task). 

In this example the 3rd part contractor requires 2 days for discovery and 1 week for implementation of Conditional Access Policies in your tenant. The best practice is to grant the least amount of access required to the contractor for just enough time to complete their work, so instead of assigning the Global Administrator role we can use PAGs to assign the Security Reader role for 2 days using the member settings and create another PAG to assign the Conditional Access Administrator role for the 1 week required. We can also set how long an elevation will last based on how long access will be required each day (e.g., 8 hours). 

You then have a choice to set the elevation conditions such as requiring additional MFA prompts when elevating into this group, the need for approval from a designated user or group of users before the role is applied, a reason for activating the role for auditing purposes or even a ticket number to help tie in with any internal request processes. An extension of the timeframe to be eligible for membership is also able to be requested by the contractor if the work runs over schedule, this is also subject to any approval processes set in the group.

What about your internal IT Team

  • This solution does not have to be just for external users, it also works in the same way for internal users who require administrative permissions in Azure. You can create this type of workflow for any admin role in the Azure portal, you can also set permanent eligibility to be available if – for example – you are assigning roles to your IT team and need them to be able to elevate their account regularly to perform tasks, this is intended to replace the need for separate administrator accounts.  

This way your IT staff activate their roles at the beginning of their day once and can continue to work as usual without having perpetual administrative roles assigned.

The Why

The methodology behind this approach is that it will give just enough access to complete the required tasks for just enough time to complete the work, this follows the Zero Trust model and allows an organisation to essentially have no administrative roles assigned unless they are being used, and that activation has been subject to the escalation requirements which we discussed earlier. It also allows auditing of whenever a role the user in question has activated. 

This process is similar to using Privileged Identity Management (PIM), however in comparison, Privileged Access Groups are much simpler to set up and enforce. With PIM, an administrator must configure an entire system of rules and settings for each user account, which can be time-consuming. With Privileged Access Groups, the administrator only needs to set up the authentication requirements once, and then assign roles to the group. This makes it much easier and faster for an administrator to manage access to sensitive resources and resources with elevated privileges. 

It may seem like quite a bit of work just to allow an external consultant access however once this framework is set up it is very straightforward to grant, remove and audit role assignments, users can be placed into several groups to provide different levels of access for different periods of time, making the assignments of administrative roles as secure and traceable as possible.

Conclusion

Privileged Access Groups in Azure Active Directory help IT administrators to manage and monitor access to sensitive resources by providing users with the exact level of access needed to perform their job for just enough time. Insentra recommends using PAGs to consistently provide administrative access for external contractors or internal staff. To learn more about implementing PAGs in your organisation, please get in touch now!

Related Articles

Changes to Azure AD Multi Factor Authentication (MFA) Numbers for Hybrid Scenarios

Secure Jump Box in Azure

Modifying DHCP Configuration When Running Red Hat Enterprise Linux on Azure

THANK YOU FOR YOUR SUBMISSION!

United Kingdom | Azure Privileged Access Groups

The form was submitted successfully.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

United Kingdom | Azure Privileged Access Groups

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.