Forum Discussion

SKadish's avatar
SKadish
Brass Contributor
Jan 18, 2024

Unified RBAC and Entra PIM

I'm interested in any experiences people have had with activating custom Unified RBAC roles using Entra ID PIM.  We are currently doing something similar with a custom role in Defender for Office 365 (using these instructions:  https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/pim-in-mdo-configure?view=o365-worldwide) , and my experience has been that it takes up to 50 minutes, after activating the Entra ID PIM group, for the permissions to be applied to Defender.  

 

Microsoft support can't decide whether this problem should be addressed by the Entra ID division or the Defender XDR division, and therefore it's not getting addressed.  

 

Has anyone configured an Entra ID PIM group with a custom Defender RBAC role (using these instructions: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/configure-just-in-time-access-to-m365-defender/ba-p/3764564) and if so, how well is it working.

 

Thanks in advance!

  • Hello,

    Thank you for posting this question.
    My name is Gadi and I am the Unified RBAC Product Manager.
    Referring to your question - yes, this is possible and is considered as one of the key values when using Unified RBAC as your centralized RBAC for all supported Defender products within the XDR Security portal.
    1. Create a security group in Azure Entra ID that you wish to use it with PIM. For the example let's call it "SecOps Analysts PIM group". Do not add any members to that group.
    2. Once you completed creating the group, on the left menu, under "Activity" click on the "Privileged Identity Management" and confirm this group to be used with PIM
    3. Do not add at this point any member to the group
    4. In Unified RBAC, create a custom role with the permission you intend to grant to users that will be added to the created security group. For the example: Security operations \ Alerts (manage).
    5. Create a new assignment for this role and at the "Assignees" section select the security group that you have just created (you can search for it by its name).
    6. Select the data sources you wish to include in this assignment (by default - all data sources will be included).
    7. Submit and finish.
    8 Activate Unified RBAC for the products you wish access to be enforced by Unified RBAC and from that point Unified RBAC will be active for these products.
    9. Once you wish to grant users with the permissions defined in this role, from Entra ID add members to this particular security group and when asked define the time frame for their membership - JIT.
    10. Allow ~10 minutes for this change to be effective in the XDR security portal and that's it.

    I hope this helps.
    • SKadish's avatar
      SKadish
      Brass Contributor
      Hello Gadi,

      Thank you. My experience with defining a PIM group in Entra, and associating it with an MBO role in MDO, is that it takes approximately 50 minutes after activation to assign the permissions, not approximately ten minutes. This is why I am asking. Has this behavior in XDR been improved?
      • Gadi_Palatchi_MSFT's avatar
        Gadi_Palatchi_MSFT
        Icon for Microsoft rankMicrosoft
        Thank you for this input.
        Synching Azure Entra ID elevations to the XDR portal sometimes can be delayed. We will further investigate this behavior and will work on improving it in the future.

Share

Resources