After merging for two clients, we set up a greenfield tenant and implemented Privileged Identity Management (PIM) for all Azure resource roles right from the start. Now, with 30 subscriptions and thousands of resources, the management of these roles is becoming chaotic. Initially, we required PIM for any group that grants a role, but as our IAM permissions have expanded, it has become harder to keep everything organized. I'm curious about how larger organizations use PIM for Azure resources. Do you limit it to certain roles or specific scopes? How do you structure this effectively?
7 Answers
You might be missing something crucial. It sounds like there are too many roles being requested. Consider implementing Infrastructure as Code (IaC) and workflows. In most scenarios, users should only need reader access. Simplifying this can help reduce the confusion around roles.
We take it a step further with separate cloud accounts. Everything operates on PIM, typically at the subscription/resource group level, allowing dev teams to have owner access while enforcing policies as guardrails.
In our organization, we use PIM for all admin access, both in Azure and on-premises. We've structured it by creating role groups for each type of engineer, consolidating their permissions. This way, no one has to activate multiple roles, which can get tedious.
I suggest simplifying the rollout for new accounts with PIM groups attached to roles. Keep older accounts intact while transitioning to the new setup. This phased approach can help with auditing and might even reveal unnecessary permissions that people have.
While the least privilege approach is good practice, be ready for pushback from developers when you try to remove existing roles. Activating roles takes extra time, which can be annoying for users. One tip is to create a PIM script that uses Microsoft Graph to quickly pull and activate roles with MFA to make things smoother.
Check out this resource: https://github.com/kayasax/EasyPIM/wiki/Invoke%E2%80%90EasyPIMOrchestrator. It's a good way to manage PIM. Also, stick to Microsoft’s best practices by using a top-down structure from management groups to workload levels with a least-privilege approach. You'll have a bunch of roles across different scopes, but this method helps keep everything in check!
I appreciate the tip! We're using management groups, and elevating at the top level is definitely easier, even if the user count is low. We avoid persistent browser sessions with conditional access, limiting access to an 8-hour session. It just gets tricky when users need specific roles across multiple resources.
Could someone break this down for me? I’m struggling to understand the whole PIM and role management process better.
Definitely! The activation time for PIM can be frustrating. Taking 30-60 seconds isn’t great when you're used to quicker access.