Microsoft has introduced two new features to its Entra Privileged Identity Management (PIM) solution during its general availability release stage. They newly launched “PIM for Groups” and “PIM integration with Conditional Access” functions, aligning with Microsoft's definition of PIM as a tool that helps limit standing admin access to privileged roles, ensures the identification of who has access, and aids in reviewing privileged access.
The newly unveiled capabilities, open for commercial use, contribute to refining IT controls for this generally intricate scenario. Microsoft envisions these new features ideally fitting into their Entra ID Governance and Microsoft Entra ID P2 licensing platform, encapsulating Microsoft Entra, Microsoft 365 services, and Azure.
If you're unfamiliar with Entra Privileged Identity Management, it is a service that helps you protect your organization's resources from unauthorized or malicious access. It allows you to grant temporary and conditional access to privileged roles, such as Global Administrator or Azure Resource Owner, and monitor their usage. It also helps you audit and review the access history and permissions of your users.
Group Dynamics and PIM Enhancements
The PIM for Groups feature provides an answer to previously missing controls by establishing “just-in-time group membership and ownership.” Furthermore, it now enables IT professionals to define “role-assignable and non-role-assignable groups.” This feature is managed exclusively by Global Administrator, Privileged Role Administrator, or the group Owner, whereas non-role-assignable groups enable management by personnel with lower privileged Microsoft Entra roles. Microsoft clarifies that this feature necessitates specific Microsoft Entra ID Governance licensing, offering no further elaboration.
Microsoft released a preview of PIM for Groups three years ago with an intention to facilitate the regulation of just-in-time access controls over group access to workflows. Earlier, this feature was labelled “Privileged Access Groups,” where the use of role-assignable groups was a prerequisite. However, Microsoft altered this requirement at the start of the current year.
Information Security and New Integration
The second new feature, PIM integration with Conditional Access, is designed to offer more refined policy controls over data access, and is a tool for shaping Conditional Access policies for roles. By merging PIM with Conditional Access, users can now impose specific necessities for PIM role activations to enhance their security posture.
IT professionals have the liberty to stipulate Conditional Access for roles necessitating the use of “modern authentication methods” along with compliant devices. Furthermore, it equips users to block the activation of roles for “risky user” profiles, confirmed through the Microsoft Entra ID Protection service. Microsoft has yet to provide information regarding licensing requirements for the PIM integration with Conditional Access feature.