Using Azure PIM for the AIP Super User feature management

This article is contributed. See the original author and article here.

The Super User feature of the Azure Rights Management service from Azure Information Protection ensures that authorized people and services can always read and inspect the data that Azure Rights Management protects for your organization. You can learn more about the super user feature and how to enable and manage it here.

 

One of the concerns we have heard from our customers regarding the super user management was that to be able to add a super user, one needs to be assigned the Global Administrator role and that the super user assignment is permanent until manually removed. All this adds complexity to the roles management workflow and raises security, compliance and governance questions especially at large companies with distributed IT organizations.

 

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization. These resources include resources in Azure AD, Azure, and other Microsoft Online Services like Office 365 or Microsoft Intune. You can learn more about Azure PIM here.

 

One of the most expected PIM features had been ability to manage membership of privileged AAD groups. Finally, you can now assign eligibility for membership or ownership of privileged access groups. You can learn more about this new capability here.

 

Note: As of this writing (August 2020) this feature is in preview, so it is subject to change.

So, how can this new feature help us with the problem outlined above? Let’s find out.

 

Enable the AIP Super User feature

If you have not enabled the Super User feature yet, you need to connect to the AIP service as a Global Administrator and run the following command: Enable-AipServiceSuperUserFeature

Figure 1: Enabling the AIP Super User feature

 

Note: Please take a moment to review our security best practices for the Super User feature.

 

Create an Azure AD group

Before you go ahead and create a new group, you need to consider:

• AIP only works with identities which have an email address (proxyAddress attribute in Azure AD)
• As of this writing (August 2020) only new Microsoft 365 and Security groups can be created with “isAssignableToRole” property, you can’t set or change it for existing groups.
• This new switch is only visible to Privileged Role Administrators and Global Administrators because these are only two roles that can set the switch.

This leaves us with the only option – a new Microsoft 365 group.

 

Figure 2: Creating a new Microsoft 365 group in the Azure Portal

 

If you prefer PowerShell, you can use it too:

Figure 3: Creating a new Microsoft 365 group using PowerShell

Figure 4: Reviewing properties of the new Microsoft 365 group using PowerShell

 

Enable PIM support for the new group

Our next step is to enable privileged access management for the group we have just created:

Figure 5: Accessing Privileged access configuration from the group management

Figure 6: Enabling Privileged Access for the new group

 

Add eligible members to the group

Now we can add assignments and decide who should be active or eligible members of our new group.

Figure 7: Adding assignments

 

Figure 8: Reviewing a list of the eligible members

 

Set the new group to use as the super user group for AIP

The Set-AipServiceSuperUserGroup cmdlet specifies a group to use as the super user group for Azure Information Protection. Members of this group are then super users, which means they become an owner for all content that is protected by your organization. These super users can decrypt this protected content and remove protection from it, even if an expiration date has been set and expired. Typically, this level of access is required for legal eDiscovery and by auditing teams.

You can specify any group that has an email address, but be aware that for performance reasons, group membership is cached. For information about group requirements, see Preparing users and groups for Azure Information Protection.

 

Figure 9: Adding the new PIM-managed group as the super user group

 

Using the super user feature

Now that we have everything set up, let’s see what the end user (JIT administrator) experience is going to be.

 

First, for the sake of testing we are going to make sure that the test user can’t open a protected document he does not normally have access to.

 

Figure 10: Error indicating that the user does not have access to the protected document

 

It’s time to elevate our access using Azure PIM:

 

Figure 11: List of the PIM-managed privileged access groups

Figure 12: List of privileged groups the user is eligible for

Figure 13: Privileged group activation dialog

Figure 14: Verifying that the user has the privileged group activated

 

After that the user is able to access the protected document and remove or change protection settings if needed.

 

Figure 15: Accessing a protected document as a super user

 

If required by your company’s policy, you can secure this elevation process even further by enforcing MFA and approval

 

Figure 16: Customizing role activation options

 

For more information about role-assignable groups in Azure AD, see Use cloud groups to manage role assignments in Azure Active Directory.

 

Please also take a moment to review current limitations and known issues here.

 

 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.