Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Unified RBAC and Entra PIM

Brass Contributor

I'm interested in any experiences people have had with activating custom Unified RBAC roles using Entra ID PIM.  We are currently doing something similar with a custom role in Defender for Office 365 (using these instructions:  https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/pim-in-mdo-configure?vi...) , and my experience has been that it takes up to 50 minutes, after activating the Entra ID PIM group, for the permissions to be applied to Defender.  

 

Microsoft support can't decide whether this problem should be addressed by the Entra ID division or the Defender XDR division, and therefore it's not getting addressed.  

 

Has anyone configured an Entra ID PIM group with a custom Defender RBAC role (using these instructions: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/configure-just-in-time-acces...) and if so, how well is it working.

 

Thanks in advance!

5 Replies
Hello,

Thank you for posting this question.
My name is Gadi and I am the Unified RBAC Product Manager.
Referring to your question - yes, this is possible and is considered as one of the key values when using Unified RBAC as your centralized RBAC for all supported Defender products within the XDR Security portal.
1. Create a security group in Azure Entra ID that you wish to use it with PIM. For the example let's call it "SecOps Analysts PIM group". Do not add any members to that group.
2. Once you completed creating the group, on the left menu, under "Activity" click on the "Privileged Identity Management" and confirm this group to be used with PIM
3. Do not add at this point any member to the group
4. In Unified RBAC, create a custom role with the permission you intend to grant to users that will be added to the created security group. For the example: Security operations \ Alerts (manage).
5. Create a new assignment for this role and at the "Assignees" section select the security group that you have just created (you can search for it by its name).
6. Select the data sources you wish to include in this assignment (by default - all data sources will be included).
7. Submit and finish.
8 Activate Unified RBAC for the products you wish access to be enforced by Unified RBAC and from that point Unified RBAC will be active for these products.
9. Once you wish to grant users with the permissions defined in this role, from Entra ID add members to this particular security group and when asked define the time frame for their membership - JIT.
10. Allow ~10 minutes for this change to be effective in the XDR security portal and that's it.

I hope this helps.
Hello Gadi,

Thank you. My experience with defining a PIM group in Entra, and associating it with an MBO role in MDO, is that it takes approximately 50 minutes after activation to assign the permissions, not approximately ten minutes. This is why I am asking. Has this behavior in XDR been improved?
For the benefit of others who are interested in this topic, I tested the assumption of Defender XDR permissions using Entra ID PIM and I am NOT having the same problem that I did with MDO roles. The permissions are being granted fairly quickly, mostly within ten minutes, or, or I log out and log back in, even more quickly.
Thank you for this input.
Synching Azure Entra ID elevations to the XDR portal sometimes can be delayed. We will further investigate this behavior and will work on improving it in the future.
Hi Gadi,

Thank you. I want it to be clear that the latency issue was with the OLD role model under MDO. I'm much happier with the performance with the new RBAC model.