I recently heard about Privileged Identity Management (PIM) during a meeting, and after watching a tutorial on setting it up, I'm still confused about how it actually enhances security. It seems that to elevate access to an admin role, you just have to navigate to PIM and activate it, which doesn't seem much different than having permanent admin access. I understand that requiring approval adds a layer of security, but using PIM without that approval feels like just a minor inconvenience.
Given that our small team consists of three admins and two managers, we currently all have Global Admin access (not ideal, I know!). I'm wondering how others implement PIM in their environments? For instance, can I create a master account not used daily, secured with a YubiKey, to approve elevation requests? My idea is that we all log in the morning, request elevation for eight hours for roles like Exchange, Intune, or Azure, and then the master account approves them—would that improve security?
2 Answers
PIM allows for multi-admin approvals and requires extra authentication if you set it up right. It helps reduce standing privileges, meaning your daily accounts don't have elevated permissions all the time, which is crucial for preventing unauthorized access or accidents.
PIM has several benefits like timing, auditing, and conditional access. You can set specific rules on who can elevate, when they can do it, and from which locations. This control can significantly enhance security compared to just giving out permanent admin rights.
Totally agree! And the authentication context is something way too many overlook!