top of page
Writer's pictureBjørnar Aassveen

Privileged Access Management🔑


What is Privileged Access Management (PAM)?


Privileged Access Management (PAM) is a security feature in Microsoft 365 that provides granular control over privileged administrative tasks. PAM helps protect your organization from security breaches by limiting persistent access to sensitive data and critical configuration settings. This is achieved by providing just-in-time access to administrative tasks, which reduces the risk of sensitive information being exposed.


However, it is important to note that PAM only supports Exchange roles and permissions at the moment. It is said that the Exchange team developed PIM and PAM to meet their own needs first, and then slowly rolled it out further.. who knows 🥸 (There will be a separate post about PIM later) 



 


How to get started with Privileged Access Management (PAM)


Create an approval group

  1. Sign in to the Microsoft 365 admin center with an administrator account.

  2. Go to Settings > Organization Settings > Security & Privacy > Privileged Access .

  3. Create a mail-enabled security group for users who should have approval authority for elevated task access requests ("PAM-Approvers" in my case)


Enable privileged access

  1. In the admin center, go to Security & Privacy > Privileged Access .

  2. Select Manage access policies and requests .

  3. Enable privileged access with default approval group ("PAM-Approvers")



PAM can of course also be created via Powershell and will take effect on all new Powershell sessions where the policies apply. The example below turns on PAM with an approval group, but also adds two exceptions for two fictitious service accounts.






  1. Define specific approval requirements for individual tasks by creating an approval policy.

  2. Choose between automatic or manual approval (Automatic means that access is enabled without approval, manual means that a member of the approval group must approve the access)

Similar in Powershell




  1. Above, I have created a policy that requires approval if you want to perform a mailbox migration.


Submit and approve privileged access requests

  1. When PAM is enabled, all tasks with an associated authorization policy require authorization before they can be performed.

  2. Users must submit an access request, which must be approved before they can perform the task


    In the example below, I have sent a request to "Set inbox rule". I submit the access request via https://admin.microsoft.com/#/Settings/PrivilegedAccess

    og "request access".



  3. Approver(s) will then receive an email notification that user XYZ has requested access.



As part of the feature design, PAM includes robust audit controls at every step of the workflow. Actions, including enabling or disabling the feature, configuring policies, and changes to approver groups, are all recorded in the Exchange administration logs and then transferred to the Office 365 Unified Audit Log.


 


In summary, PAM is a useful tool for granulating access to Exchange Online and can be a great tool for service desks where the need is often a few accesses under a slightly too broad Entra ID access role. The hope is that Microsoft will speed up the further development of PAM so that the solution can cover all accesses corresponding to Entra ID roles but with finer granulation. There are also some rumors about broader support for Graph.. We'll see 😎🔑




Bjørnar&AI



Recent Posts

See All

留言


bottom of page