8 hours 33 minutes
Hello, Siberians. Welcome to this lesson on a giant e privilege identity management. Part one.
This lesson is part of the is that 500 Microsoft Azure security technologist costs
to keep it in simple. I refer to the Aggravation team going forward.
Some quick information on washing becoming in this lesson.
We'll start by looking at the vist associate edge to privilege. Identities on the best practices on managing those risks
wouldn't cover an overview off as I a deep team.
We'll look at our hole assignment. Walks with Team on, finally would discuss the features that are available in pain.
Let's get into this.
Let's start by discussing the risk to populate identities.
What is a privilege? Identity?
A privileged identity is one that, as administrative permissions to our azure environment.
In other words, they have more permissions than a typical user.
And they usually limited to a small number off I T administrators or business application owners.
As you can imagine, this identities are I value target for Attackers just because of the level of access that is granted to them,
and I, someone put it. If identity is the new perimeter than privileged identities at the perimeters, Count Julius.
If we fail to protect this privilege, identities on attacker can find an open door into critical systems and data on they could even take advantage of the credentials to move laterally within i environment.
You know how to deal with this risk? Compressive privilege. Identity protection requires access to be granted only two people that should have it
Onley when they needed the access. That is just in time at a level that access is needed. That is just enough
and for the duration that it needs the access. In other words, time bound.
Now, this miss sound like simple common sense
for marriage. Indies is an entirely different ballgame, especially if we're talking about managing these at scale for a large organization.
This is where a service like a giant deep team can help us. Let's see what ***
team is on a just service that helps us to manage privilege, administrative role assignment, toe a joy D on a jury sauces.
In order for us to be able to use a team,
there is one men requirement, and that is we needs toe have on assign as your Eddie Premium Peter licenses for user Stobie. Using this service
to get a clever understanding off our team can help us.
Let's check out some information on our ball assignment, walks with him.
Let's say an admin who called David wants to ensure that a user called Brenda can be assigned to the global ad. Mineral in majority
on the user, called Bradley, can be assigned to the subscription on a row whenever in its it,
David will foster need tohave team administrative privileges,
and it will needs toe on board the votes that it wants to protect into Pim
and in this case, the a giant global at Monroe on the edge of a saucepan of those will be embodied into Pim,
David can configure a time limit for the unbuttered rolls. As part of the configuration,
David can also make Brenda on Bradley eligible for the votes that in need access to
hell. Edible users can then request to take on Evo in Pim. Whenever they need access. Pin verifies their eligibility on Ghost Ron approval workflow. If configured
ive approval is granted, Pim Configures the required full assignment for the allowed time period
on the Good Friend is that once the time limit expires, team automatically removes the ball assignment.
Let's look at the features that we can configure in Pim.
The first feature is just in time access. This means that the user will needs to go to an activation process in order for them to be a science tree road that elevates their privilege.
Then we have time bound taxes,
which means that came allows us to limit the time periods that the user can be a sign straight bro.
And when the time is up, just as we automatically be removed from the roll Assignment by Pim Pim supports approval walk flows, which means that the configuration often approval process. When a user goes to activate a vote, for example, we can configure one or more users as approvals. Whenever a user goes toe, activate
the global administrator vote.
We can require for more factor. Authentication and justifications were provided. When a user goes to activate a vote,
justification is especially useful for internal and external audits scenarios. We can even required to get number to be provided as reference.
We can configure notifications to know which uses are activating, which rose in our environment. We can also configure shadowed access reviews to make sure that is an ongoing process to review whether access is to needed on toe automatically remove access that's no longer needed.
And finally, we can download the audit history for all the activities that are going on in team. Whether that's an activation requires whether that's the approval that's been granted or whether when the role is assigned and removed. So what types of those can we protect with pain?
First, we can protect all as you're a DeVos, and this includes building and custom roles,
so those, like Global Administrator on security administrator can be protected by as a a deep team.
This also includes Office 365 rows that I represented in our joy 80. So Rose like exchange administrator and SharePoint Administrator
team also supports all azure Jesus Rose on This includes butin and custom rose,
so those, like resource owner and contributor can be protected isn't team and this can be done across different scopes like management group subscription and resource group level.
However, we cannot protect classic. I just description Rose using team, so those like account administrators, service administrator encore administrators that are related to classic azure subscription cannot be embodied into Pim.
So here's a somebody off. What we covered in this lesson well started with a discussion off risk to privilege identities on best practices on managing those risks
with uncovered an overview off a joy deep team.
We looked at our full assignment, walks with team
and finally would discuss the features that are available in Pim.
Thanks very much for watching on. I'll see you in the next lesson where we'll continue our discussion off him.