We recently completed a merger between two clients and set up a new Azure tenant. From the get-go, we implemented Privileged Identity Management (PIM) for all Azure resource roles. Now that we've expanded to 30 subscriptions and thousands of resources, I'm starting to feel overwhelmed with the management of PIM. Initially, we thought that every group granting a role should require PIM, but as our IAM permissions have grown, it's become disorganized. For those of you in larger organizations using PIM for Azure resources, how do you structure your access management? Do you apply PIM to specific roles or scopes?
5 Answers
A phased rollout to new accounts with PIM groups attached sounds smart. Keeping older accounts and permissions while transitioning allows for auditing and making sure no one keeps roles they don’t need. It might take time, but it's essential for good practices.
In our case, we created role groups for different types of engineers to streamline permissions. This way, no one has to activate multiple roles in PIM, which can become tedious.
Using tools like EasyPIM can really help manage PIM at scale. From what I've seen, the best approach is a top-down structure that starts from management groups and goes down to workload levels while adhering to the principle of least privilege. It does mean managing a lot of roles across many scopes, but it’s worth it in the long run.
It's really important to have proper governance. If too many people can request too many permissions, that's a red flag. Consider implementing Infrastructure as Code (IaC) for your resources, so that most things default to reader access unless there's a valid need for more privileges.
While going for least privilege is the best practice, you might face pushback from users when changes come about, like needing to activate roles that require a few seconds to do. A workaround I found was creating a script to ease the activation process. It allows users to quickly activate their roles with MFA, saving them the hassle of using the portal.
Yeah, that sounds like a solid approach! Reducing the number of activations is key in keeping things manageable.