Just-in-time access to groups and Conditional Access integration in Privileged Identity Management
Published Oct 03 2023 11:04 AM 27K Views
Microsoft

As part of our mission to enable customers to manage access with least privilege, we’re excited to announce the general availability of two additions to Microsoft Entra Privileged Identity Management (PIM): PIM for Groups and PIM integration with Conditional Access.

 

Just-in-time access to privileged roles with PIM for groups

 

Part of Microsoft Entra ID Governance and Microsoft Entra ID P2, PIM enables you to manage just-in-time access to privileged roles in Microsoft Entra, Microsoft 365 services, and Azure.


With the new just-in-time group membership capability, you can now further simplify least privilege access by enabling just-in-time access for all resources that support security group or Microsoft 365 group assignments. This includes support for a wide range of roles such as Microsoft Entra roles, Azure resource roles, Microsoft Intune and non-Microsoft application roles and services. IT admins, developers, and security experts can now activate group membership once and have access to all defined resources precisely when needed to do their job.

 

PIM for Groups supports:

 

  • Just-in-time group membership and ownership. Members get access to various resources through the group membership, while owners can manage group properties such as membership.
  • Role-assignable and non-role-assignable groups, which removed the previous limit of 500 groups managed in PIM.
  • Security and Microsoft 365 group types.

 

sdriggers_0-1695923337279.png

 

 

 

Learn more about PIM for Groups: Privileged Identity Management (PIM) for Groups - Microsoft Entra | Microsoft Learn

 

Enforce security requirements for activation using PIM integration with Conditional Access

 

Conditional Access authentication context allows you to apply granular policies to sensitive data and actions, going beyond app-level policies. By combining PIM with Conditional Access, you can now enforce specific requirements for PIM role activations, enhancing your security posture. During public preview, customers have leveraged this integration for various scenarios, such as:  

 

  • Requiring strong modern authentication methods, using Conditional Access Authentication Strengths.
  • Requiring a compliant device for role activation.
  • Validating the user’s location through GPS-based named locations.
  • Blocking activation for risky users using Microsoft Entra ID Protection.

 

sdriggers_1-1695832914780.png

 

 

 

The PIM and Conditional Access integration is available for all providers: PIM for roles, PIM for Azure resources, and PIM for groups.

 

Configure authentication context requirements within PIM policies:

 

 

sdriggers_2-1695832914795.png

 

 

Eligible users must meet verification requirements during role:

 

sdriggers_4-1695833258999.png

 

Check out the documentation to learn more about Conditional Access authentication context.

 

Learn more about configuring Conditional Access authentication context in PIM settings at the links below:

 

 

Joseph Dadzie
Partner Director of Product Management

LinkedIn: @joedadzie
Twitter: @joe_dadzie

 

 

Learn more about Microsoft Entra:

10 Comments
Co-Authors
Version history
Last update:
‎Oct 02 2023 10:01 AM
Updated by: