Forum Discussion
Is PIM any good?
I'm planning a PIM implementation and am trying to understand a few things about PIM and certain recommendations.
I have a OnPrem\Entra hybrid environment. I have many servers hosted both on prem in the on prem AD and in Azure.
In traditional on prem environments this segregation has typically been achieved using separate admin accounts. This give you some segregation and protection in case an account was compromised. I'll accept its not bullet proof but a lot of things would have to work in the right order for a bad actor to compromise a separate admin account
I've read and heard MS guys (probably driving license sales) saying that's not the right way anymore and JIT is the right way. Which of course requires license.
I'm looking for opinions or observations from experience for the following:
- Why is doing one account (possibly the regular user account in a Hybrid environment) with PIM better that having a regular and admin accounts?
- Why not have a separate admin account with PIM implemented on the admin account in Entra? I can't see how this would be less secure that just one account with PIM.
- One argument I heard was you can require MFA to activate the access. Well right now i just use CA policies to require MFA for any use of a role I have nominated (portal\cli\PowerShell etc). How is Entra JIT with one account better than still having a admin account have a requiring MFA for them to log onto any of the the admin portals to use their privileged access?
Another concern I have is controlling who is assigned to the roles. Right now I can add them one by one to the role in PIM but our MSP (who does the bulk of the management) wants to add a group to each role assignment and then they add people to the group to inherit the assignment of the role.
For many reasons I cant go into there are large numbers of people who are in the group admin role. This basically means any of them could elevate theirs or someone else access into a Entra role if I'm using groups to assign groups to role.
What if they start nesting groups into other groups and suddenly Domain Users has been nested and has Global Admin?
How do I police this?
2 Replies
All valid concerns/points. The JIT/JEA principles (should) apply regardless of whether you are using a single or multiple accounts per admin, so in that respect solution such as PIM still adds benefits. But as you correctly pointed out in the second bullet, nothing in this scenario makes it inherently more secure than having two separate accounts that conform with JIT/JEA principles. In fact, having separate accounts allows you to target the "admin" one with more secure policies/settings, which usually have negative impact on productivity scenarios and might be avoided otherwise. Not to mention the increased attack surface for accounts that have services such as Email/Teams enabled.
And yes, there is the marketing story here, apart from the generic security guidance. And some of it is blurred, as one can argue that not all admin roles should be treated the same. Guidance usually focuses on GAs only, for example, the "secure admin accounts" article only mentions separate accounts in the context of a Global admin, even though there are some other roles with have comparable permissions. On the other hand, even "read only" admin account can cause a lot of trouble if compromised, so we can also make the argument that each and every role should be protected, with separate account, MFA and PIM, etc... and people start complaining.
At the end of the day, those are all generic recommendations, which might or might not be the best advice for your specific organization. I'd definitely recommend going for PIM if you can afford it, regardless of whether you plan using single or multiple accounts per admin, as it adds additional controls and flexibility. Then again, you might not need things like additional approvals before activating a role, for example, so take any such advice with a grain of salt.
On the group front, this is done mostly for convenience. Microsoft has made sure that the scenario is secure, i.e. only role-assignable groups can be used, you cannot nest groups, etc. Still, it does open the gate for potential undesired elevation, however unlikely it is to happen. Plus, you should always aim to minimize the number of admins to begin with, so having to manage direct assignments to 2-3 GAs instead of a single group hardly makes a difference... but your mileage will vary. Oh, and of course it's a paid feature, which might answer why you get recommendations like that :D
