By: Chris Kunze – Senior Product Manager | Microsoft Intune
Least-Privilege Administrative Models are security best practices where users only have the access, they need to perform a given task. This helps prevent unauthorized or accidental changes, data breaches, and compliance violations. With Microsoft Intune, there are a couple of ways you can achieve least-privilege admin access.
Although these two options provide least-privilege admin access, JIT access with PIM is only applicable to the Azure AD built-in “Intune Administrator” role. With granular permission control using RBAC, you’re able to set up a least-privilege, role-based administrator in Intune but were previously unable to get JIT access control for Intune RBAC, until now. Privileged Identity Management (PIM) for Groups gives admins the ability to provide users with just-in-time membership and ownership of the group. We encourage customers to try it and provide feedback.
The Least-Privilege Administrative Model for Intune gives users just-in-time privileged access to Intune. This article discusses how to give users just-in-time privileged access to Intune RBAC by using PIM for Groups. In this scenario, administrators will be given minimal (Read-Only) permissions in Intune RBAC and will be assigned elevated access (Full) when needed using PIM for Groups.
For this example, there are : Fabrikam Read and Fabrikam Full. The administrator, Fabrikam Administrator, is a member of the Fabrikam Read group. There are no members in the Fabrikam Full group. The groups will be configured using PIM for Groups so any member of the Fabrikam Read group can be added to the Fabrikam Full group. Finally, the roles will be configured in Intune so that the Fabrikam Read group will have “Read-Only” access and the Fabrikam Full group will have elevated privileges (School Administrator, in this example).
The following demo shows how to configure Intune JIT admin access, the device configuration experience with least-privilege rights, the process of requesting elevated privilege, and the device configuration experience with elevated privilege.
To begin, we’ll create the two groups needed for this implementation in the Microsoft Intune admin center (Groups > All groups). For our example, the first group, Fabrikam Read, is a standard group with assigned membership and Fabrikam Administrator has been added as a member to this group. Note that it’s possible to use existing groups if you already have them set up.
The second group will be the PIM for Groups. For our example, this is the Fabrikam Full group. When creating the PIM for Groups managed group, it can be either role-assignable or non-role-assignable. A role-assignable group is one that can be assigned to a role in Azure AD. Use role-assignable groups so that only the Global Administrator, Privileged Role Administrator, or the group Owner can manage the group to help prevent an admin from elevating to a higher privileged role without going through a request and approval procedure.
A user (Fabrikam Administrator) can be added as a member of the first group (Fabrikam Read). There won’t be members in your second (managed) group (Fabrikam Full).
To configure the managed group, go to the Microsoft Entra admin center.
For our example, I set the Activation maximum duration to 4 hours and required approval of someone from the PIM Manager Group (group that includes members who can approve the request) to activate. I chose not to require multi-factor authentication (MFA) or Azure AD Conditional Access authentication context, which would’ve required the membership being activated only from an organization-owned device or other Conditional Access policies.
Specify any settings in the Assignment and Notification tabs, as needed. For our example, I chose to leave the defaults selected.
Now that the member is set up in Azure AD, we need to configure settings in Intune.
Following the same process, I assigned the role School Administrator to the managed Fabrikam Full group.
After the role assignment settings are completed, the members of the least-privilege group (Fabrikam Read group) will be able to request elevated privileges by requesting to be temporarily added to the managed group (Fabrikam Full group). If the administrator does not explicitly cancel the request, the changes will be reverted after the established maximum duration hours (4 hours in this example).
Hopefully this walkthrough and demonstration on how to use JIT policy with Azure AD Privileged Identity Management (PIM) for Groups feature helps you create your own administrator role that has just-in-time privileged access to Intune.
If you have any questions, please let us know in the comments or reach out to us on Twitter @IntuneSuppTeam.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.