You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -57,13 +57,13 @@ Privileged Identity Management provides time-based and approval-based role activ
57
57
58
58
Once you set up Privileged Identity Management, you'll see **Tasks**, **Manage**, and **Activity** options in the left navigation menu. As an administrator, you'll choose between options such as managing **Azure AD roles**, managing **Azure resource** roles, or privileged access groups. When you choose what you want to manage, you see the appropriate set of options for that option.
59
59
60
-
60
+
61
61
62
62
## Who can do what?
63
63
64
64
For Azure AD roles in Privileged Identity Management, only a user who is in the Privileged Role Administrator or Global Administrator role can manage assignments for other administrators. Global Administrators, Security Administrators, Global Readers, and Security Readers can also view assignments to Azure AD roles in Privileged Identity Management.
65
65
66
-
For Azure resource roles in Privileged Identity Management, only a subscription administrator, a resource Owner, or a resource User Access administrator can manage assignments for other administrators. Users who are Privileged Role Administrators, Security Administrators, or Security Readers do not by default have access to view assignments to Azure resource roles in Privileged Identity Management.
66
+
For Azure resource roles in Privileged Identity Management, only a subscription administrator, a resource Owner, or a resource User Access administrator can manage assignments for other administrators. Users who are Privileged Role Administrators, Security Administrators, or Security Readers don't by default have access to view assignments to Azure resource roles in Privileged Identity Management.
67
67
68
68
## Terminology
69
69
@@ -81,17 +81,65 @@ To better understand Privileged Identity Management and its documentation, you s
81
81
| time-bound eligible | Duration | A role assignment where a user is eligible to activate the role only within start and end dates. |
82
82
| time-bound active | Duration | A role assignment where a user can use the role only within start and end dates. |
83
83
| just-in-time (JIT) access || A model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. |
84
-
| principle of least privilege access || A recommended security practice in which every user is provided with only the minimum privileges needed to accomplish the tasks they are authorized to perform. This practice minimizes the number of Global Administrators and instead uses specific administrator roles for certain scenarios. |
84
+
| principle of least privilege access || A recommended security practice in which every user is provided with only the minimum privileges needed to accomplish the tasks they're authorized to perform. This practice minimizes the number of Global Administrators and instead uses specific administrator roles for certain scenarios. |
85
85
86
-
## Extend and renew assignments
86
+
## Role assignment overview
87
87
88
-
After you set up your time-bound owner or member assignments, the first question you might ask is what happens if an assignment expires? In this new version, we provide two options for this scenario:
88
+
The PIM role assignments give you a secure way to grant access to resources in your organization. This section describes the assignment process. It includes assign roles to members, activate assignments, approve or deny requests, extend and renew assignments.
89
89
90
-
- Extend – When a role assignment nears expiration, the user can use Privileged Identity Management to request an extension for the role assignment
91
-
- Renew – When a role assignment has already expired, the user can use Privileged Identity Management to request a renewal for the role assignment
90
+
PIM keeps you informed by sending you and other participants [email notifications](pim-email-notifications.md). These emails might also include links to relevant tasks, such activating, approve or deny a request.
91
+
92
+
The following screenshot shows an email message sent by PIM. The email informs Patti that Alex updated a role assignment for Emily.
93
+
94
+
95
+
96
+
### Assign
97
+
98
+
The assignment process starts by assign roles to members. To grant access to a resource, the administrator assigns roles to users, groups, service principals, or managed identities. The assignment includes the following data:
99
+
100
+
- The members or owners to assign the role.
101
+
- The scope of the assignment. The scope limits the assigned role to a particular set of resources.
102
+
- The type of the assignment
103
+
-**Eligible** assignments require the member of the role to perform an action to use the role. Actions might include activation, or requesting approval from designated approvers.
104
+
-**Active** assignments don't require the member to perform any action to use the role. Members assigned as active have the privileges assigned to the role.
105
+
- The duration of the assignment, using start and end dates or permanent. For eligible assignments, the members can activate or requesting approval during the start and end dates. For active assignments, the members can use the assign role during this period of time.
106
+
107
+
The following screenshot shows how administrator assigns a role to members.
108
+
109
+
110
+
111
+
112
+
For more information, check out the following articles: [Assign Azure AD roles](pim-how-to-add-role-to-user.md), [Assign Azure resource roles](pim-resource-roles-assign-roles.md), and [Assign eligibility for a privileged access group](groups-assign-member-owner.md)
113
+
114
+
### Activate
115
+
116
+
If users have been made eligible for a role, then they must activate the role assignment before using the role. To activate the role, users select specific activation duration within the maximum (configured by administrators), and the reason for the activation request.
117
+
118
+
The following screenshot shows how members activate their role to a limited time.
119
+
120
+
121
+
122
+
If the role requires [approval](pim-resource-roles-approval-workflow.md) to activate, a notification will appear in the upper right corner of the user's browser informing them the request is pending approval. If an approval isn't required, the member can start using the role.
123
+
124
+
For more information, check out the following articles: [Activate Azure AD roles](pim-how-to-activate-role.md), [Activate my Azure resource roles](pim-resource-roles-activate-your-roles.md), and [Activate my privileged access group roles](groups-activate-roles.md)
125
+
126
+
### Approve or deny
127
+
128
+
Delegated approvers receive email notifications when a role request is pending their approval. Approvers can view, approve or deny these pending requests in PIM. After the request has been approved, the member can start using the role. For example, if a user or a group was assigned with Contribution role to a resource group, they'll be able to manage that particular resource group.
129
+
130
+
For more information, check out the following articles: [Approve or deny requests for Azure AD roles](azure-ad-pim-approval-workflow.md), [Approve or deny requests for Azure resource roles](pim-resource-roles-approval-workflow.md), and [Approve activation requests for privileged access group](groups-approval-workflow.md)
131
+
132
+
### Extend and renew assignments
133
+
134
+
After administrators set up time-bound owner or member assignments, the first question you might ask is what happens if an assignment expires? In this new version, we provide two options for this scenario:
135
+
136
+
-**Extend** – When a role assignment nears expiration, the user can use Privileged Identity Management to request an extension for the role assignment
137
+
-**Renew** – When a role assignment has already expired, the user can use Privileged Identity Management to request a renewal for the role assignment
92
138
93
139
Both user-initiated actions require an approval from a Global Administrator or Privileged Role Administrator. Admins don't need to be in the business of managing assignment expirations. You can just wait for the extension or renewal requests to arrive for simple approval or denial.
94
140
141
+
For more information, check out the following articles: [Extend or renew Azure AD role assignments](pim-how-to-renew-extend.md), [Extend or renew Azure resource role assignments](pim-resource-roles-renew-extend.md), and [Extend or renew privileged access group assignments](groups-renew-extend.md)
142
+
95
143
## Scenarios
96
144
97
145
Privileged Identity Management supports the following scenarios:
@@ -131,7 +179,7 @@ With the privileged access groups preview, you can give workload-specific admini
131
179
132
180
## Invite guest users and assign Azure resource roles in Privileged Identity Management
133
181
134
-
Azure Active Directory (Azure AD) guest users are part of the business-to-business (B2B) collaboration capabilities within Azure AD so that you can manage external guest users and vendors as guests in Azure AD. For example, you can use these Privileged Identity Management features for Azure identity tasks with guests such as assigning access to specific Azure resources, specifying assignment duration and end date, or requiring two-step verification on active assignment or activation. For more information on how to invite a guest to your organization and manage their access, see [Add B2B collaboration users in the Azure AD portal](../external-identities/add-users-administrator.md).
182
+
Azure Active Directory (Azure AD) guest users are part of the business-to-business (B2B) collaboration capabilities within Azure AD so that you can manage external guest users and vendors as guests in Azure AD. For example, you can use these Privileged Identity Management features for Azure identity tasks with guests such as assigning access to specific Azure resources, specifying assignment duration and end date, or requiring two-step verification on active assignment or activation. For more information on how to invite a guest to your organization and manage their access, see [Add B2B collaboration users in the Azure AD portal](../external-identities/add-users-administrator.md).
0 commit comments