Privileged Identity Management

  • 2 minutes to read

Purpose

This SOP outlines the process for managing, controlling, and monitoring access to privileged roles in Microsoft Entra ID using Privileged Identity Management (PIM). It ensures that access is granted following security and compliance guidelines to minimize risks associated with excessive or unnecessary privileges.

Scope

This procedure applies to all organizations utilizing Compliance-as-a-Service and includes actions for both the Organization seeking certification (OSC) and the External Service Provider (ESP).

Section 1: Organization seeking certification (OSC) Steps

Step 1: Submit a Request for Elevated Access

  • Submit a request for role activation through the helpdesk.
  • Ensure the request is made by an authorized user.
  • Specify the role required, justification, and the duration for activation.

Step 2: Await Approval and Notification

  • The request will be reviewed by the designated approver.
  • Upon approval, an email notification will be sent confirming access.

Step 3: Activate Elevated Access

  • Navigate to the Azure AD Privileged Identity Management (PIM) portal:
  • Locate the assigned role and click Activate.
  • Enter the required justification and duration.
  • Complete Multi-Factor Authentication (MFA) if prompted.
  • Upon activation, privileges will be available for the specified duration.

Section 2: External Service Provider (ESP) IT Team Steps

Prerequisites

  • Confirm that the user requesting elevated access is authorized.
  • Verify that the request was routed through the helpdesk.
  • Ensure that the role requested aligns with security policies and business requirements.

Assigning Elevated Access

  1. Navigate to the Azure AD Privileged Identity Management (PIM) portal:
  2. Click Manage, then select + Add assignments.
  3. In the Select roles dropdown, choose the role to assign.
  4. Under Select member(s), choose the user(s) to assign the role.
  5. Determine the Assignment type (Eligible or Active) and Duration.
  6. Click Assign.
  7. If required, verify the user’s identity with MFA.

Approving Elevated Access Requests

  1. Navigate to the Azure AD Privileged Identity Management (PIM) portal.
  2. Click Approve requests from the left-hand menu.
  3. Review the list of pending requests.
  4. Select the request and review justification details.
  5. If approved, click Approve. If denied, provide a reason and notify the requester.
  6. The requester will receive an email confirmation upon approval.

Monitoring and Compliance

  • Regularly audit role assignments and activations.
  • Review PIM logs to identify unauthorized access attempts.
  • Revoke access if a user no longer requires elevated privileges.

Review & Maintenance

This SOP will be reviewed on a quarterly basis or as required by changes in compliance regulations or Microsoft cloud services.