I'm looking for advice on implementing an approval process for role elevation in our Privileged Identity Management (PIM) setup. We've had PIM for a while now, and previously, it was set up with self-elevation, which doesn't include any approvals. My team consists of six people in the IT department, and we have direct roles that can be activated temporarily for various tasks. However, not everyone on the team can activate all roles, as access is determined by job responsibilities.
The current system raises security concerns, particularly that someone with admin access could self-elevate without any checks. I want to ensure that before granting access to sensitive roles, like the Authentication Administrator, there's a peer-based approval process in place. A big issue I'm facing is how to manage these approvals effectively. For example, if someone needs to change a user's authentication method, I want to make sure there's a solid verification system before approval is given.
Does anyone have experience with this? Do you use phone calls or another method to verify requests? Or is my approach flawed? We're using separate admin accounts, and they can only be accessed from compliant devices requiring physical security keys, but I'd like to tighten things up further.
1 Answer
If PIM approval isn't a compliance must-have, I would skip it altogether and just enforce multi-factor authentication (MFA) for any elevation actions. Your biggest risk is token theft, and by requiring compliant devices, you’ve already cut down the risks significantly. Only use approvals if you need a clear audit trail for change management. Bear in mind, if someone has access to your refresh tokens, they could still get elevated permissions by waiting for you to activate. That's actually a feature Microsoft acknowledges!
So you're suggesting that since users are already authenticated, I might not need an additional approval step? Do you mean an extra confirmation, like requiring them to touch their security key again during the elevation?