– Hello, everyone Welcome to this session of RBAC and PIM My name is Abhijeet Kumar Sinha I am a Program Manager in Azure AD RBAC team, focusing on fine grained delegation of administration I will be presenting this session with my colleague, Steve Lieberman – Thanks Abhijeet My name is Steve Lieberman, and I’m a Program Manager on the Azure Active Directory, Identity Governance team Today, I’ll be talking to you about privileged identity management >> In this session, we will talk about our North star The direction that we are moving towards or strive to move towards We will give you demos of some of the cool things that you all asked us to build And then we will wrap up with our roadmap Let’s start with our North star We, Microsoft, succeed when you efficiently manage your admin access to least privilege Least privilege means you are granting your admins exactly the permission that they need to do their job Nothing less or nothing more Your admin should have a very specific set of permissions over a specific scope for a specific period of time Having more than five global admins is not a good place to be in Picturize this, global admin is like a superhero in a building who roams around with a huge key chain dangling on his side, having keys to each and every room of the building Let’s say the name of our superhero is Bob Heavens may fall if Bob falls sick or gets attacked It is a risky job to be this person No one wants to hold the keys to the entire kingdom, but that’s what being a global admin is all about Our data says that global admin accounts are twice as likely to be attacked compared to a low level admin, or a normal user account So our North star is to empower you, give you enough tools, and guide you to that state of least privilege But there is no single magic bullet to solve all this It is a long journey with multiple stages to it First, we want to help you reduce the number of global admins and increase the usage of lower privileged roles Going back to our previous example, the lesser number of superheroes you have in a building, the more secure your building will be To help you achieve this, we shipped seven new built-in roles in past few months, in total Azure AD has more than 50 built-in roles with plenty more in the pipeline And not just built-in roles, we want to empower you with custom roles capability as well Where you can cherry pick the permissions and bundle them into a role We shipped custom roles for application registration last year And now we have custom roles for enterprise apps in public preview We also have custom roles for consent management and group management in private preview that will go to public preview in a few months Second Manage intelligently at scale Now you could say that having a lesser number of those Bobs in my building, although keeps me secure, but it hampers my productivity when he falls sick Yeah, and that cannot be further from the truth Productivity and security must go hand in hand Wouldn’t it be great if you have a separate person to manage each floor of the building? That’s what we also want to do We want to help you efficiently scope down the privileges of your administrators, and help manage the role assignments at scale For that, we have Administrative Units Using Administrative Units, you can break down your organization into small logical chunks, and scope down your administrators privileges to these admin units instead of entire tenant scope Think of it as a cloud equivalent of your on-prem organization units with some differences Admin Units supports users and groups today, and we are working hard to bring other Azure AD objects like devices and applications under the purview of admin units We also shipped one of the most popular feature requests that we had over the past couple of years Assigning roles to groups You cannot assign a role to a group instead of assigning it to users individually Additionally, your privileged role administrator can put an owner on this group, and that person can now manage the membership of group and effectively also manage who gets the role So you can delegate the role management as well Third Rest on a security cushion Why should our superhero Bob even have a permanent ownership of the key chain of entire building? He could have it in his possession only for a specific period of time Similarly, giving your admins a standing access is not secure We have Privileged Identity Management or PIM, using which you can grant just-in-time access

to Azure AD and Azure resources And we are making it better than with every passing day Recently, we shipped an integrated PIM experience Now to make time bound rule assignments, you don’t have to go to a different PIM extension in Azure portal If you have a P2 license, you will get PIM experience right inside roles and admins plate of Azure AD itself Privileged access groups Using this feature, you can make someone a just-in-time member or owner of a group This is on top of what you can already do with Azure AD roles Discovery and insights This is yet another cool feature that we shipped using which you can get intelligent insights of the usage of high privileged roles in your tenant So you can see, we are constantly making great progress towards our North star to help you achieve that state of least privilege By the way, the session is a bit advanced So if are not familiar with some of the things that I talked about, it is a good time to hit pause here and refer to our documentations, aka.ms/azureadrbac101 and aka.ms/pim101 With that said, it is time to see some of these features in action My colleague Satish will start with a demo of how you can create custom roles for enterprise apps management >> Let’s take a look at using custom roles for delegating enterprise application management You now have a set of permissions to grant fine-grained access to enterprise application management Such as single-tenant configuration, credential management, and assignment of users in groups Let’s create a custom role to delegate a segment of users and groups Go to the roles and administrators plate, new custom role, let’s give it a name Let’s pick the right permission, Review and create, we’re done We just created a custom role to delegate a segment of users in groups You can now assign this role with the directory scope, or you can scope this to a specific enterprise application To do this at a director level scope, go to the role you just created from the roles and admins plate We see this is right on the top Click on add assignments Let’s pick Allen We now have Allen at the directory level scope You can see that the scope here If you want to do this for a specific enterprise application, go to the enterprise applications plate Let’s pick Contoso Marketing Application, go to the roles and administrators plate, search for the role that we just assigned, add assignment, let’s pick Alice You can now see Alice is scoped at this resource, which is at the enterprise application Contoso Marketing Application And Allen was scoped at a directory level Thank you >> And now, Anand will give a demo of how to create administrative units to do an admin unit scoped role assignment >> You can find Azure AD administrative units in the Azure AD portal on the left hand navigation panel Adding an administrative units is easy Click on add, provide the name of the administrative unit you’re creating, and then optionally, you can provide description You also get the option to add an administrative role Here we are adding Jane as password administrator for this new administrative unit Click on next and create, and you’re done with creating a new administrative unit Adding user groups is equally easy, you can do it in a few clicks You can add a user individually to the administrative unit, or you can use the bulk activities option to upload multiple users at the same time in the administrative unit Here, we have added a file, CSV file, which contains multiple users And as the operation succeeded, you can see that now all the users that were part of the CSV file are now added in this administrative unit The delegated administrators have administrative permissions

only on the administrative unit that they are scoped to And this example, Jane is going to go ahead and reset the password of a user in the newly created Mexico Corp Resource administrative unit Here, Jane is able to successfully reset the password of the user in the administrative unit However, if Jane tries to go and reset a password of a user, say here at branch, who is not assigned to the administrative unit, then the following operation will fail So now you can start delegating administrative privileges on specific scope using the administrative unit >> I’ll give you a demo of how to assign roles to a group and leverage privileged access groups feature to put an eligible owner on this group Here I am logged in as Lee Lee could be privileged role administrator or a global administrator in the tenant Let me start with creating a new group and set a special flag on this group to make it role assignable So I’ll go to Azure AD, go to groups and then click on new group I’ll set this flag on the group, and then select two members Say the members are Bob and Charlie Let’s click on create And the group gets created Now, let me go and assign this group an eligible membership to help this admin role I will make this an eligible membership and then select this time period Awesome So as you can see for this group, it has been assigned help desk administrator role for this time period Now let’s go and take a look at what happens to the members I’ll select Bob, go to assigned roles, and you can see that Bob inherits the same role help desk administrator for that same time duration Now let me log in as Bob and see what his experience is Here I am logged in as Bob, let me find a user and try to reset her password So I’ll go to Azure AD, go to users and find Becky Now I’ll go I’ll try to reset the password And I get access denied It is expected by virtue of being member of Contoso Europe Admins group I am eligible for help desk admin role I haven’t activated it yet So let me go and activate my role membership We’ll go to PIM, my roles, and then I will activate my help desk admin membership I’ll put justification Awesome Activation has been successful and my browser has refreshed Now let me go to Azure AD and check my role membership now If I go to Azure AD, you can see that I have help desk administrator role Now, let me try to reset Becky’s password again I’ll find Becky and, this time the operation is successful So far, so good What I have shown you is that Lee makes a group an eligible member of a role via a PIM, and Bob inherits that eligible role assignment by virtue of being a member of that group Now am back as Lee Lee does not want to be in the business of day to day management of help desk admins She wants to delegate the responsibility to her colleague, Eve So she can make Eve an owner of the group and thereafter Eve can manage the membership of the group and effectively also manage who gets the help desk admin role But instead of making her a standing owner of the group, Lee wants to make her a just-in-time owner Yes, that’s where our cool feature privileged access groups come into play So let’s find our group Contoso Europe Admins, and enable it for PIM

So I’ll go to group, I’ll find the group that we just created, and go to privileged access option over here, and then click on enable privileged access Once I click on this option, the group will be onboarded to, and it can be managed by PIM And that’s it Now you can see that Bob and Charlie are the active members of this group, and there is no eligible owner of this group So let me go and add Eve Let me find Eve here I will make Eve an eligible owner So I’ll leave it like that, and then leave the time period as is Awesome Now you can see that Eve is an eligible owner of this group for this time duration Now let me log in as Eve, and see what exactly her experience looks like Okay, I am logged in as Eve now Let me go find our group and see what’s going on So I’ll go to Azure AD, go to groups, find our group And as you can see, there is no owner And for me, add member option is also disabled This is expected, because I haven’t activated my ownership yet For that, I’ll have to go to PIM and activate my ownership So I go there, go to my roles, go to privileged access group And then here is the group, that I’ll go and activate All right, my role activation is successful, and the browser has refreshed So let me go back to Azure AD, and see what’s the state there So I’ll go, I’ll find our group again And now you can see that owner has started showing up And when I go to members, I can now add one more member So let me add Steve over here And this is successful To summarize, first Lee, who is a privileged role admin or a global admin in her tenant She creates a role assignable group and make it an eligible member of help desk admin role Second Bob, who inherited the eligible membership can then activate his role and exercise those privileges for a fixed time duration And third Lee can also delegate the management of the group to Eve by making her not permanent, but an eligible owner of this group So as you can see, using the power of groups and PIM in Azure AD, IT admins can not only automate the role management at scale, they can further delegate it and also do it in a more secure way Now let me invite my friend, Steve, to do the demo of discovery and insights >> I am now going to discuss one of the newest features The PIM team has shipped this past quarter, called Discovery and Insights Ever since the launch of PIM in 2016, we have always had a security wizard which helped newly onboarded customers discover persistent administrators in their directory and batch convert them to eligible However, there’s been limited usage of this feature because it didn’t have any recommendations or insights to help customers with their PIM deployment After all, knowing who has what role might not be enough to know whether you should make them eligible or not Based on this feedback, we took the opportunity to upgrade this feature as part of our code base migration and renamed it Discovery and Insights Today, you can use this feature to quickly discover assignments in your directory and view recommendations on how to secure them Whether it’s converting them to eligible or kicking off an access review You can access this feature by going to privileged identity management, clicking on Azure AD roles, and discovery and insights in the left navigation On top here, we have a few quick definitions to help familiarize new customers with PIM’s functionality This is going to be very useful for first time PIM customers coming to understand how they can use PIM to protect their privilege roles Underneath each definition,

you will see these cards, that categorize privileged assignments in your directory, along with recommendations on how to secure these assignments Today, as part of the preview, we have three different cards The first card shows the number of global administrators in your directory And makes the recommendation that you should have less than five persistent global administrators, but more than two, because you should at least have two global administrators for break glass scenarios Clicking into this card, you will be able to see all the users in this role and have the option to multi-select and convert them to eligible or kick off an access review The second card is very similar to the first The only difference is that instead of just a global administrator, we are looking at role assignments to eight highly privileged roles in the directory Users assigned to these roles, like privileged role administrator, exchange administrator, et cetera, should also be secured with PIM, as they open up additional attack surfaces and are often forgotten Finally, the third card will allow you to view all service principals assigned to any Azure Active Directory roles Compared to human accounts, service principals are often overlooked when it comes to privileged assignments However, someone in your organization might have set up automations with service principals that have highly privileged access When you click into this card, you will be able to view all the service principals with privileged assignments and decide whether you want to remove them or not Even though this feature is made for first time customers, we encourage existing customers to use it for ongoing maintenance of their PIM implementation We know from our customers that it is super difficult to keep a secure posture over time, as access gets delegated and often forgotten In the future, we will look to add more cards Specifically, we’ll start surfacing more intelligent insights about over-privileged assignments through this experience For example, if a user is assigned to a highly privileged role, but can in fact do all of their day to day activity with a lesser privileged role, we can flag that assignment and give you our recommendation We also hope to launch a similar experience for Azure resources so that you can quickly discover and secure privileged assignments across multiple resources Thanks everybody And that wraps up the demo for Discovery and Insights Now Abhijeet and I are gonna to talk about the roadmap We’ll start with some of the Azure Active Directory, RBAC capabilities first, Abhijeet >> This is my favorite part, because I get an opportunity to show you what we are spending our energy on, and get the much needed feedback to do the course correction if needed All right, so here it is The slide has two sections; features that are in preview, and features that are still under development Let’s start with the items that are in preview Number one As I mentioned before, custom roles for consent management and group management are in private preview So you can see, we are gradually ticking all the check boxes We started with custom roles for application registration management, then enterprise apps, then consent and group management Once we are done with these, custom roles for users and devices will also follow Second You saw the demo assigning built in roles to groups, to cloud groups is in public preview right now So you can go ahead and use it Third Scoping the management of users and groups via administrative unit is also available in public preview And it will go to general availability very soon Fourth Ability to assign admin unit scope roles or custom roles to serve as principal is available in private preview right now Now Steve will talk about the work that he is leading in PIM world Take it away, Steve >> Thanks, Abhijeet In preview today, we have just-in-time group membership via PIM through our privileged access groups These new groups enable you to get just-in-time access to the group itself You can apply this just-in-time capability to the owners and the members of the group In addition, you can do really cool things like inactivate multiple roles in a single request by using the same group assigned to multiple roles

In addition, you can apply these groups to Azure resources, giving individuals access to more resources in a single activation request Number six Still in private preview, privileged identity management integration with conditional access This feature enables administrators to put additional constraints on the requirement for individuals to activate privileged roles When an eligible user goes to activate a privileged role, administrators can require additional capabilities such as must be on a hybrid domain-joined machine, must be coming from a specific IP address range, or something as complex as accepting a terms of use agreement in order to access a privileged role Now, these next features we’re going to talk about are in development Number seven Privileged identity management support for admin unit scoped role assignments This is a highly requested feature and something that we’re working really hard to make available very soon In addition, one of the top customer asks that we have is for a Microsoft graph API to be in version one so that our customers can manage PIM programmatically So we’re pushing really hard to make this one a success Number nine For those of you not familiar with Office Privileged Access Management, it’s a tool that enables you to set approval workflow orchestration, in order to execute privileged actions within the Office 365 platform In the new Microsoft admin center, there’s already an experience to enable this capability We’re working to integrate the privileged identity management capabilities for role management, integrated with this privileged access management experience This will enable our customers to have a cohesive experience more privileged identity and access management within the Microsoft admin center I’m now gonna to turn it over to Abhijeet to talk about the rest of the development work we’re doing >> Thanks, Steve Number 10 We are also working on single point of RBAC management across M365 services We call it Unified RBAC Azure AD and Intune is already supported on this platform Older M365 RBAC workloads like Exchange will follow Number 11 I mentioned in my North star slide, we are very serious about removing all the global admin dependencies, and we are building a ton of new built-in roles for that Our customers have time and again, asked for a domain admin role, because right now only a global admin can manage custom domain names So yes it is coming If your organization uses attack simulator in security and compliance center, to run realistic attack scenarios and find vulnerabilities, there is a good news We are building two new lower privileged roles for managing that; Attack Simulator Admin and Attack Payload Author At last Ignite, we introduced Project Cortex, which is an AI powered service to help you create the knowledge network of your organization’s data We are also creating two built-in roles for that; Knowledge Admin and Knowledge Manager Number 12 We have the capability of assigning built-in roles to cloud groups in public preview And we are actively working to bring custom role support for groups as well And last we know a lot of you are still using on-prem groups for admin accesses So don’t worry, we have it on our radar We are working on supporting on-prem groups for roles as well That is the full picture of our roadmap Our developers across the globe are hitting their keyboard right now to bring all these features to fruition So tell us, what do you think? Go to aka.ms/azureadrbacsurvey and answer some questions that we have for you It will help us understand what is important to you, and realign our priorities if needed We couldn’t wait to see how you all are going to leverage the capabilities that we shipped and make a difference in the world during these difficult times Thank you >> Thank you