Remember that the idea is that the CA policy only will kick in when the user has activated his Azure AD PIM role assignment as Exchange Administrator. Testing Azure AD PIM Role Activation and Conditional Access We are now ready to test the user experience. Next for Cloud apps I select Exchange Online:įor Access controls I select to require the device to marked as compliant:Īfter that I enable the policy and save. I specify a name and then select the Directory role of Exchange administrator as shown below: The first thing I set up is the CA policy for my specific Directory Role in this scenario. Creating Azure AD Conditional Access Policy for Directory Role Especially when he is doing admin stuff in our Exchange Online tenant or even running some Exchange Online PowerShell commands. Even though the Azure AD PIM role is protected by MFA at activation, making the user secure and trusted, I really want the device he is using to be secure and compliant with any management profiles I have defined using Intune MDM. Lets say that I only want this user to perfom Exchange Administrator tasks from a Compliant Device. I have an Exchange Administrator that from time to time performs Exchange Online admin tasks, and have configured this admin user with Azure AD PIM and eligible for Exchange Administrator Role among others: So I was wondering how this would work together with Azure AD Privileged Identity Management, for example in the following scenario: With Azure AD PIM you can require Azure MFA when activating admin roles, but outside that you cannot set conditions and access control scenarios like you can do with Azure AD Conditional Access.īut now recently there is a new option in public preview for assignments to users and groups for Conditional Access policies, you can assign the CA policy to directory roles! You can even implement approval workflows and audit trails, so if you haven’t looked into it you should really take a look! By implementing Azure AD PIM you can let users with admin roles elevate themselves when they need to, using just in time (JIT) and eligible roles instead of permanent admin roles. Azure AD Privileged Identity Management is a really great security feature for controlling those Azure AD and Azure Subscription administrator roles.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |