You first need to configure AzureAD PIM – see my former post How to setup Azure AD Privileged Identity Management (PIM)

In this post I will show how to use AzureAD PIM to give temporary Global Admin Access to a user. There is different build-in privileged roles:

AdHoc License Administrator Billing Administartor Compliance Administartor Directory Readers Directory Writers Emain Verified User Creator Exchange Administrator Global Administrator Mailbox Administrator Partner Tier1 Support Partner Tier2 Support Password Administrator Privileged Role Administrator Security Administrator Security Reader Service Administrator SharePoint Service Administrator Skype for Business Administrator User Administrator

Workplace Device Join

How to assign a user  a privileged role

Select Global Administrator

Select Add to find a user in the AzureAD

Select Users

1. Search your user
2. Select your user
3. Select Done

And now my [email protected] is eligible to request temporary Global Admin Access

Now how does a user request his temporary Global Admin:

First login to the https://portal.azure.com

Start the Privileged Identity management

Select Global Administrator – Request activation

The first time you need verify your permission to PIM (remember that the your needs a Azure AD Premium license for this)

Setup this account for additional security verification

I selected “Call me” – the Azure Phone service is calling my phone when I select Contact me

I answer my phone and press #

Then I can select Done

Now I have access to Activate my request to be a temporary Global Admin

The enter a reason for role activation

Select Ok

Because I have change the default expiration time from 1 hour to 8 hours I now have Global Admin rights in 8 hours

Then for the next 8 hours I can login to https:portal.office.com with global admin rights

How does this looks like from a Admin perspective:

We need to be able to track who, when and why a users have gained Privileged Access.

Login to http//portal.azure.com as you PIM administrator.

Look at your global Admin’s then you can see that a new user have access and have a expiration time.

Select Audit history at the front page of the PIM service

Then you can see that the user have requested temporary global admin rights and the reason why.

I will be a back with more post about PIM at a later point.

Remember that this is Just-In-Time admin access – this is a very secure way only to have admin access when is it needed. So if the credentials are compromise then it is only a normal user.