cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unified RBAC and Entra PIM

SKadish
Brass Contributor

‎Jan 18 2024 02:00 PM - edited ‎Jan 18 2024 02:01 PM

‎Jan 18 2024 02:00 PM - edited ‎Jan 18 2024 02:01 PM

Unified RBAC and Entra PIM

I'm interested in any experiences people have had with activating custom Unified RBAC roles using Entra ID PIM.  We are currently doing something similar with a custom role in Defender for Office 365 (using these instructions:  https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/pim-in-mdo-configure?vi...) , and my experience has been that it takes up to 50 minutes, after activating the Entra ID PIM group, for the permissions to be applied to Defender.  

 

Microsoft support can't decide whether this problem should be addressed by the Entra ID division or the Defender XDR division, and therefore it's not getting addressed.  

 

Has anyone configured an Entra ID PIM group with a custom Defender RBAC role (using these instructions: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/configure-just-in-time-acces...) and if so, how well is it working.

 

Thanks in advance!

639 Views
0 Likes
5 Replies
Reply
5 Replies
Gadi_Palatchi_MSFT

‎Feb 11 2024 06:35 AM

‎Feb 11 2024 06:35 AM

Re: Unified RBAC and Entra PIM

Hello,

Thank you for posting this question.
My name is Gadi and I am the Unified RBAC Product Manager.
Referring to your question - yes, this is possible and is considered as one of the key values when using Unified RBAC as your centralized RBAC for all supported Defender products within the XDR Security portal.
1. Create a security group in Azure Entra ID that you wish to use it with PIM. For the example let's call it "SecOps Analysts PIM group". Do not add any members to that group.
2. Once you completed creating the group, on the left menu, under "Activity" click on the "Privileged Identity Management" and confirm this group to be used with PIM
3. Do not add at this point any member to the group
4. In Unified RBAC, create a custom role with the permission you intend to grant to users that will be added to the created security group. For the example: Security operations \ Alerts (manage).
5. Create a new assignment for this role and at the "Assignees" section select the security group that you have just created (you can search for it by its name).
6. Select the data sources you wish to include in this assignment (by default - all data sources will be included).
7. Submit and finish.
8 Activate Unified RBAC for the products you wish access to be enforced by Unified RBAC and from that point Unified RBAC will be active for these products.
9. Once you wish to grant users with the permissions defined in this role, from Entra ID add members to this particular security group and when asked define the time frame for their membership - JIT.
10. Allow ~10 minutes for this change to be effective in the XDR security portal and that's it.

I hope this helps.
3 Likes
Reply
SKadish

‎Feb 12 2024 01:10 PM

‎Feb 12 2024 01:10 PM

Re: Unified RBAC and Entra PIM

Hello Gadi,

Thank you. My experience with defining a PIM group in Entra, and associating it with an MBO role in MDO, is that it takes approximately 50 minutes after activation to assign the permissions, not approximately ten minutes. This is why I am asking. Has this behavior in XDR been improved?
0 Likes
Reply
SKadish

‎Feb 13 2024 01:52 PM

‎Feb 13 2024 01:52 PM

Re: Unified RBAC and Entra PIM

For the benefit of others who are interested in this topic, I tested the assumption of Defender XDR permissions using Entra ID PIM and I am NOT having the same problem that I did with MDO roles. The permissions are being granted fairly quickly, mostly within ten minutes, or, or I log out and log back in, even more quickly.
0 Likes
Reply
Gadi_Palatchi_MSFT

‎Feb 14 2024 01:28 AM

‎Feb 14 2024 01:28 AM

Re: Unified RBAC and Entra PIM

Thank you for this input.
Synching Azure Entra ID elevations to the XDR portal sometimes can be delayed. We will further investigate this behavior and will work on improving it in the future.
1 Like
Reply
SKadish

‎Feb 14 2024 06:48 AM

‎Feb 14 2024 06:48 AM

Re: Unified RBAC and Entra PIM

Hi Gadi,

Thank you. I want it to be clear that the latency issue was with the OLD role model under MDO. I'm much happier with the performance with the new RBAC model.
1 Like
Reply