Secure Azure Infra – 7.4: Managing Azure Resources

As some of the new resources have varying business impact we will increase our security posture using PIM to convert from direct permissions to “Just in Time” access and assign direct permissions that have an expiry date.

New permissions required for Alex Wilber:

Resource Business Impact Access Type Project Time PIM Task
All Contoso PaaS Resources Medium Intermittent full access 1 month JIT contributor access for 1 month
Contoso Web App Low Read only 1 month Direct read access for 1 month

All Contoso PaaS Resources

1) Let’s use PIM to make the necessary access changes to the sales resources by changing the access on the sales resource group itself as permissions will roll down to all the resources in it. As the admin user, click Privileged Identity Management > Azure resources (preview) > click Resource Filter > Resource Group > Contoso-PaaS

2) By default, the Contributor role is set to not require MFA so we need to modify this. In MANAGE click Role Settings > Contributor > Edit > tick Require Multi-Factor Authentication on activation > Update. Notice once the role has been updated you can see it has been modified, when and by who. This is shown in Figure 24.

Role Settings

Figure 24: Role Settings

3) In the Admin view click Contributor, you should see Alex Wilber with direct assignment. Click Alex > Change Settings. As Alex needs Just in Time access for 1 month, choose assignment type Just in Time > assignment start date Current day > assignment end date Current day + 1 month.

JIT User Settings

Figure 25: Just in Time User Settings

Contoso Web App Web Site

1) Let’s use PIM to make the necessary access changes to the marketing resource by changing the access specifically on the Contoso Web App Web Site. Click Privileged Identity Management > Azure resources (preview) > click Resource Filter > choose Resource > contosoapp.

2) In MANAGE click Roles > Reader.

3) Click Add User > select Alex Wilber > set the membership settings as followed, membership choose Direct > assignment start date Current day > assignment end date Current day + 1 month > type a justification for the change > Done

About engsoon

Eng Soon is a 4-time Microsoft MVP and has nearly 5 years of experience building enterprise system in the cloud.He is also a Certified Microsoft Azure.Eng Soon also have strong technical skills and analytic skill. As a developer, Besides the development task, he also involved in Project Management, Consulting, and Marketing. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive. He also took part as speaker in many nationwide technical events, such as Conference, Meetup and Workshop. Currently, looking for opportunity in Cyber Security which include Cloud Security and Application Security.

View all posts by engsoon →

One Comment on “Secure Azure Infra – 7.4: Managing Azure Resources”

Leave a Reply

Your email address will not be published. Required fields are marked *