Recently, we saw a major attack at Stryker where a compromised Intune Administrator role (which we think was likely phished), let a hacker group wipe around 200K devices. Everyone is talking about this right now, so I thought we would talk about how to best secure privileged access roles quickly and easily.
In this article, we have selected the Yubikey Bio, as our hardware token of choice, because I like having Biometrics with my hardware tokens, instead of just proximity.
There are certainly even more secure ways like PAWs (Priv Access Workstations aka a dedicated machine you access things from, which we may cover in a later article). Today, we will cover:
- What is Privileged Identity Management (PIM)?
- Configuring Entra Authentication Methods
- Setting up Conditional Access for PIM
- Configuring Entra Roles in PIM
- PIM Activation User Experience
- Final Thoughts
What is Privileged Identity Management (PIM)?
Everyone right now is asking how attacks can be prevented like the one that happened to Stryker. The number one way you could prevent something like that is by implementing PIM the correct way.
PIM is an Entra service that lets you secure how access to “privileged roles” are used, how long they can be used for, and how people gain access to them.
Requirements:
- Entra P2 License
- Privileged Role Administrator or Global Administrator
We won’t spend a TON of time covering PIM in detail. Basically, the idea is that you have certain roles that are “privileged”
The list is of these roles are:
| Application Administrator | Can create and manage all aspects of app registrations and enterprise apps. |
| Application Developer | Can create application registrations independent of the ‘Users can register applications’ setting. |
| Attribute Provisioning Administrator | Read and edit the provisioning configuration of all active custom security attributes for an application. |
| Attribute Provisioning Reader | Read the provisioning configuration of all active custom security attributes for an application. |
| Authentication Administrator | Can access to view, set and reset authentication method information for any non-admin user. |
| Authentication Extensibility Administrator | Customize sign in and sign up experiences for users by creating and managing custom authentication extensions. |
| Authentication Extensibility Password Administrator | Trigger a password submit event for custom authentication. |
| B2C IEF Keyset Administrator | Can manage secrets for federation and encryption in the Identity Experience Framework (IEF). |
| Cloud Application Administrator | Can create and manage all aspects of app registrations and enterprise apps except App Proxy. |
| Cloud Device Administrator | Limited access to manage devices in Microsoft Entra ID. |
| Conditional Access Administrator | Can manage Conditional Access capabilities. |
| Directory Writers | Can read and write basic directory information. For granting access to applications, not intended for users. |
| Domain Name Administrator | Can manage domain names in cloud and on-premises. |
| External Identity Provider Administrator | Can configure identity providers for use in direct federation. |
| Global Administrator | Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities. |
| Global Reader | Can read everything that a Global Administrator can, but not update anything. |
| Helpdesk Administrator | Can reset passwords for non-administrators and Helpdesk Administrators. |
| Hybrid Identity Administrator | Can manage AD to Microsoft Entra cloud provisioning, Microsoft Entra Connect, and federation settings. |
| Intune Administrator | Can manage all aspects of the Intune product. |
| Lifecycle Workflows Administrator | Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID. |
| Password Administrator | Can reset passwords for non-administrators and Password Administrators. |
| Privileged Authentication Administrator | Can access to view, set and reset authentication method information for any user (admin or non-admin). |
| Privileged Role Administrator | Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management. |
| Security Administrator | Can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365. |
| Security Operator | Creates and manages security events. |
| Security Reader | Can read security information and reports in Microsoft Entra ID and Microsoft 365. |
| User Administrator | Can manage all aspects of users and groups, including resetting passwords for limited admins. |
All of these roles need to be secured, and PIM is a major part of that answer. With PIM, you can provide just-in-time (JIT) access to Entra roles (and Azure roles as well).
You can also specify how long that access is for, require approval to activate certain roles, enforce MFA, attach a conditional access policy to it, require justification, ticket information, and so much more.
In PIM, we have two different sorts of access:
- “Active” assignments, which are what you likely have today. A permanent active assignment of a role that has likely very little oversight.
- “Eligible”, which requires a user to meet certain criteria to use a role, like getting approvals, or satisfying a conditional access policy. You also do things like control the amount of time its available (time-bound), and provide justifications/ticket numbers.
So, we all agree that PIM is important and its time to proceed. Stryker hammered that home ever further. Now, let’s start on setting up the authentication methods.
Configuring Entra Authentication Methods
Before we can use our YubiKey and let our admins register, we start with configuring the Passkey (FIDO2) auth method to support our tokens.
Overall, it’s pretty simple. You just need to configure the AAGUIDs for your token and add them in the Auth Methods policy:
One of the tricky things is if you are using it in this way, the admins will need to register the tokens themselves versus it picking it up in the authentication flow. I found that the Microsoft UI doesn’t do a great job on this part of it like they do with a standard Conditional Access Policy with Authenticator Passkeys, but not a major issue.
Admins can go here, to register their hardware tokens, which is a common occurrence overall in this scenarios. To me its majorly a non-issue.
You can check out this video below on setting it up, and registering the token:
Setting up Conditional Access for PIM
For us to setup a proper framework for PIM and enforce hardware tokens, we start by:
- Configuring the PIM Entra Authentication Context
- Configuring the PIM Entra Authentication Strength
- Setting Up the PIM Conditional Access Policy
Configuring the PIM Entra Authentication Context
Authentication Contexts are basically resource tagging in Entra. You associate an ID (from C1-C99) with a construct like “Admins” or “FIDO” or “Trusted Devices” etc, and use that to tag apps/resources.
They’re super simple. You just add a name, description, and select the ID:
Configuring the PIM Entra Authentication Strength
Authentication strengths are a bit more in-depth. You basically put together a collection of authenticators instead of the old legacy “Require MFA”
Similar to earlier, we tell it what hardware is acceptable for Passkeys (FIDO2). Essentially, earlier we tell it, “This can register” and here we saw “This can be used to authenticate.”
Some people might think it’s okay to say “Microsoft Authenticator” can be used here, but I’m not trusting anything besides my singular hardware token.
Setting Up the PIM Entra Conditional Access Policy
The final step, is where we configure a conditional access policy to be used with PIM.
It’s easy, the settings are simply:
- All Users
- Targeted to the authentication context we created
- Leverage “Grant” to our new authentication context policy we created
Below, you can see a video where we bring it all together:
Configuring Entra Roles in PIM
The final piece is configuring the Entra Roles in PIM themselves.
A few things to be aware of:
- Make sure you clean-up any “Active” assignments that already exist. You can go to the Roles page here, and sort for the active assignments to do your cleanup before you start. Make sure when cleaning up Global Administrators that you have a single break glass account, also secured by hardware token to configure PIM.
- You can’t use activated roles, even Global Admin to clean-up active assignments, so remember to clean-up before you set things up.
- Don’t delete yourself, otherwise you’re in trouble.
- You will need Entra Security Groups to assign PIM roles. It’s not supported to use M365 Groups.
Honestly, it’s easier than I expected overall. You will go into a role, and edit the “Role Settings”
In my demo, I don’t enforce approvals, but I recommend that you DO.
You can see in the screenshot below, I simply set my auth context I set up earlier, require justification, and an approver for the role.
In the assignments section, I disable “permanent active” and leave the rest as is:
After this I save and leave notifications as is. You can check out the video below on the full setup:
I’ve considered whether to provide with some PowerShell to set up the roles in bulk, but I think it’s worth stepping through each of them. For many of them, you may have specific notification needs, and such.
The good news is it’s much easier to do assignments from within the Entra groups menu, where you can add role assignments easily there:
PIM Activation User Experience
The hardest thing about PIM is getting people used to the user experience, because in some scenarios it gets a little confusing. I primarily recommend always work with it from within incognito mode.
I’d recommend checking out my video below, which will give you much stronger insight into how it works:
Final Thoughts
What we learned over the last few days is, we MUST set this up now. We MUST require hardware tokens, and we MUST not waste any more time. This is incredibly important to the success of our organizations. People have wasted far too much time on something so important. We see everyday companies with like 25 global admins, poor security, and too much risk.
We can do better and we must starting NOW!
