Configure Just-in-Time Access to M365 Defender
Published Aug 24 2023 09:30 AM 10.5K Views
Microsoft

PIM for Groups

 

Entra ID (formerly Azure AD) offers the Privileged Identity Management (PIM) for Groups feature, enabling users to attain just-in-time membership and ownership of groups, thus governing access to a range of services. This feature allows the implementation of policies similar to those in PIM for Entra ID Roles and PIM for Azure Resources, allowing the configuration of actions like approval enforcement, multi-factor authentication (MFA), justification requirements, and activation time limits. Each PIM for Groups configured group features two distinct policies, catering to membership and ownership activation. This means that if an account is both an eligible owner and an eligible member of a group, each of them have their own activation.

For more information you can read the official documentation here.

 

Microsoft 365 Defender RBAC

 

Microsoft 365 Defender RBAC offers centralized permissions management for the following services:

  • Defender for Endpoint
  • Defender for Identity
  • Defender for Cloud Apps
  • Defender for Office 365
  • Microsoft Defender Vulnerability Management
  • Secure score

When a role is created, the services which the role covers can be selected. The advantage of using the new M365 Defender RBAC as opposed to the legacy RBAC for each individual service is that it is possible to grant permissions to multiple services from just a single role assignment. If you have been using legacy RBAC assignments it’s very simple to import those roles into the new M365 Defender unified RBAC. The steps for importing the roles can be found here.

 

M365 Defender unified RBAC workloads need to be activated before they are applied. Until the workloads are activated Defender will apply the legacy RBAC model for each individual service.

 

When creating an M365 Defender role you will need to create an assignment for it. Assignments will have a scope (which Defender data sources the assignment will apply to) and Entra ID users or groups (which users or groups the assignment will be applied to).

For more information you can read the official documentation here.

 

Putting the two together

 

As group membership can define getting M365 Defender roles, and group membership can be given in a just-in-time manner, it means that indirectly M365 Defender roles can be given in a just-in-time manner.

The steps to set this up would be the following.

 

Create the Entra ID group and add members

 

In the Azure portal go to Azure Active Directory and click on Groups and then New group.

timurengin_0-1692858631272.png

Figure 1 Creating new group

 

Enter the details as required.

timurengin_1-1692858631277.png

Figure 2 Adding details to group being created

 

Add Eligible Members to the group

 

Go to the Azure portal and search for Azure AD Privileged Identity Management in the search bar. Once there, select Groups on the left side of the menu. The group needs to be discovered before eligible members can be added. To discover the group, search the group name and select Discover groups.

timurengin_5-1692858727186.png

Figure 3 Discover groups to manage with PIM

 

Select the group and click Manage groups.

timurengin_6-1692858727192.png

Figure 4 Manage group using PIM

 

Click on OK.

timurengin_7-1692858727193.png

Figure 5 Onboarding selected groups

 

Now the group should be visible. Select the group and click Assignments, then Add assignments in the Eligible assignments tab. If it is not added to this tab, the assignment will be active and not eligible.

timurengin_8-1692858727197.png

Figure 6 Adding assignment to PIM managed group

 

Select the members to be added to the group.

timurengin_9-1692858727199.png

Figure 7 Selecting members

 

timurengin_10-1692858727203.png

Figure 8 Selecting members

 

Select Eligible and enter the start and end dates of the eligibility assignment. Once the correct dates are set click Done. Finish the assignment process.

timurengin_11-1692858727205.png

Figure 9 Setting details of eligible membership

 

Now there should be the account added in the Eligible assignments tab on the groups membership.

timurengin_12-1692858727208.png

Figure 10 Viewing eligible assignment of groups members

 

Now the group has PIM eligible members.

 

Create the M365 Defender Role

 

M365 Defender roles can be created in the M365 Defender portal. If you have the correct permissions you can click on Permissions on the left side in the menu.

timurengin_13-1692858937489.png

Figure 11 Permissions tab in Defender menu

 

Under Microsoft 365 Defender select Roles.

timurengin_14-1692858937492.png

Figure 12 Microsoft 365 Defender Roles in permissions page

 

Click on Create custom role. Enter the name of the role and click Next.

timurengin_15-1692858937495.png

Figure 13 Beginning the creation of a custom role

 

On the Choose permissions tab click on each permission an select the level of access you want the role to have.

timurengin_16-1692858937500.png

Figure 14 Permissions selection screen

 

timurengin_17-1692858937506.png

Figure 15 Example permissions for Security Operations

 

Once the permissions you want are selected click on Next.

timurengin_18-1692858937508.png

Figure 16 Permissions selected for each group

 

On the next screen assignment are created for the role. The assignments created will determine which account are assigned this role. Click on Add assignment.

timurengin_22-1692859171624.png

Figure 17 Adding assignment to role

 

Enter the assignment name and select the group created in Step 1. Click Add.

timurengin_23-1692859194136.png

Figure 18 Entering assignment details

 

Move to the next screen by clicking Next. Review the permissions and click Submit.

timurengin_24-1692859194143.png

Figure 19 Reviewing and submitting the roles settings

 

As mentioned earlier, the M365 Defender RBAC has to be activated for workloads so that it can be applied. If this hasn’t been done already then it will need to be activated. On the main page for M365 Defender Roles there will be a note if any workload has not been activated. If this note is there then you will need to Activate workloads.

timurengin_25-1692859194146.png

Figure 20 Activating workloads

 

timurengin_26-1692859194152.png

Figure 21 Activating workloads

 

Users perspective

 

Once a user has been made an eligible member of the group they can activate their membership and get temporarily assigned to the M365 Defender role. The user will have to follow these steps:

 

Go to Azure AD Privileged Identity Management and to the Groups tab in the menu on the left. The group should be visible. If the group is not visible, verify that the user is an eligible member of the group and that the group was ‘discovered’ by the admins. These steps can be found in the previous sections. Select Activate role.

timurengin_30-1692859301779.png

Figure 22 Activating group membership

 

On the next screen select Activate on the group you want to activate the membership for.

timurengin_31-1692859301783.png

Figure 23 Activating group membership

 

Select the duration the membership should last for and add a reason. Select Activate.

timurengin_32-1692859301787.png

Figure 24 Activating group membership

 

After activating the role, if the membership status of the group is checked, you will see the account there with details about when the membership was activated.

timurengin_33-1692859403742.png

Figure 25 Viewing the activated group membership

 

The users view in M365 Defender before and after activating the group membership, and therefore getting assigned the M365 Defender role. Notice that after the role is assigned the user can see menus for Defender related activities.

 

timurengin_34-1692859403749.png

Figure 26 The Defender menu before activating the group membership

 

timurengin_35-1692859403752.png

Figure 27 The Defender menu after activating the group membership

 

Wrapping it up

 

PIM for Groups paired with M365 Defender RBAC offers a solution for those looking for just-in-time Defender access. These can also be used in combinations. For example, if you want certain users to always have read access but access to take device actions should be granted just-in-time, then a read-only Defender role can be assigned permanently and the role for taking device actions can be granted to the group via the steps mentioned above.

 

Co-Authors
Version history
Last update:
‎Feb 02 2024 08:54 AM
Updated by: