The Super User feature of the Azure Rights Management service from Azure Information Protection ensures that authorized people and services can always read and inspect the data that Azure Rights Management protects for your organization. You can learn more about the super user feature and how to enable and manage it here.
One of the concerns we have heard from our customers regarding the super user management was that to be able to add a super user, one needs to be assigned the Global Administrator role and that the super user assignment is permanent until manually removed. All this adds complexity to the roles management workflow and raises security, compliance and governance questions especially at large companies with distributed IT organizations.
Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services like Office 365 or Microsoft Intune. You can learn more about Azure PIM here.
One of the most expected PIM features had been ability to manage membership of privileged AAD groups. Finally, you can now assign eligibility for membership or ownership of privileged access groups. You can learn more about this new capability here.
Note: As of this writing (August 2020) this feature is in preview, so it is subject to change.
So, how can this new feature help us with the problem outlined above? Let’s find out.
Enable the AIP Super User feature
If you have not enabled the Super User feature yet, you need to connect to the AIP service as a Global Administrator, Azure Information Protection Administrator, Compliance Administrator, or Compliance Data Administrator and run the following command: Enable-AipServiceSuperUserFeature
Figure 1: Enabling the AIP Super User feature
Note: Please take a moment to review our security best practices for the Super User feature.
Create an Azure AD group
Before you go ahead and create a new group, you need to consider:
- AIP only works with identities which have an email address (proxyAddress attribute in Azure AD)
- As of this writing (August 2020) only new Microsoft 365 and Security groups can be created with “isAssignableToRole” property, you can’t set or change it for existing groups.
- This new switch is only visible to Privileged Role Administrators and Global Administrators because these are only two roles that can set the switch.
This leaves us with the only option – a new Microsoft 365 group.
Figure 2: Creating a new Microsoft 365 group in the Azure Portal
If you prefer PowerShell, you can use it too:
Figure 3: Creating a new Microsoft 365 group using PowerShell
Figure 4: Reviewing properties of the new Microsoft 365 group using PowerShell
Enable PIM support for the new group
Our next step is to enable privileged access management for the group we have just created:
Figure 5: Accessing Privileged access configuration from the group management
Figure 6: Enabling Privileged Access for the new group
Add eligible members to the group
Now we can add assignments and decide who should be active or eligible members of our new group.
Figure 7: Adding assignments
Figure 8: Reviewing a list of the eligible members
Set the new group to use as the super user group for AIP
The Set-AipServiceSuperUserGroup cmdlet specifies a group to use as the super user group for Azure Information Protection. Members of this group are then super users, which means they become an owner for all content that is protected by your organization. These super users can decrypt this protected content and remove protection from it, even if an expiration date has been set and expired. Typically, this level of access is required for legal eDiscovery and by auditing teams.
You can specify any group that has an email address, but be aware that for performance reasons, group membership is cached. For information about group requirements, see Preparing users and groups for Azure Information Protection.
Figure 9: Adding the new PIM-managed group as the super user group
Using the super user feature
Now that we have everything set up, let’s see what the end user (JIT administrator) experience is going to be.
First, for the sake of testing we are going to make sure that the test user can’t open a protected document he does not normally have access to.
Figure 10: Error indicating that the user does not have access to the protected document
It’s time to elevate our access using Azure PIM:
Figure 11: List of the PIM-managed privileged access groups
Figure 12: List of privileged groups the user is eligible for
Figure 13: Privileged group activation dialog
Figure 14: Verifying that the user has the privileged group activated
After that the user is able to access the protected document and remove or change protection settings if needed.
Figure 15: Accessing a protected document as a super user
But what is the most important here is that Azure PIM will automatically remove the user from this privileged group after a certain predefined period of time (1 hour in my example) eliminating permanent membership in a high risk group and reducing administrative overhead.
If required by your company’s policy, you can secure this elevation process even further by enforcing MFA and approval
Figure 16: Customizing role activation options
For more information about role-assignable groups in Azure AD, see Use cloud groups to manage role assignments in Azure Active Directory.
Please also take a moment to review current limitations and known issues here.
P.S. Consider joining our Yammer community where you can be one of the first to learn about MIP news, announcements, preview programs, meet information protection experts from around the world, and get your questions answered.