Lessons learned from PIM Implementation failures

Twice we attempted to implement Privileged Identity Management (PIM) for an Azure tenant, but unfortunately, we were unsuccessful both times. However, through these experiences, we gained valuable insights and lessons that I believe are worth sharing with you in this blog.

First thing first, what is PIM?

Azure Privileged Identity Management (PIM) is a powerful solution offered by Microsoft Azure that helps organizations effectively manage and control access to privileged resources within their Azure environment. It provides an additional layer of security and enhances the overall governance of privileged access. It provides just-in-time access to privileged roles or resources. This means that users are only granted access to privileged roles when they require it, and for a limited time period. This reduces the attack surface and minimizes the risk of unauthorized access to critical resources.

Lesson 1: Interview people before doing anything else!

Every organization is different.

Prioritize spending time with individuals from various teams and diverse roles to gain insights into their daily utilization of Azure and the specific access requirements necessary to fulfill their responsibilities. The focus should be on understanding ‘what’ they require rather than the exact methods of obtaining it, or the ‘how’. Avoid placing individuals in situations where they lack the necessary permission to perform their job effectively.

Within each team, there are typically specific tasks or responsibilities that are exclusive to certain individuals or should be readily available when needed, resulting in the need for distinct access capabilities - "The What."

Lesson 2: Define the buckets - the PIM Roles.

Once you have conducted discussions with individuals, it is necessary to create a list of PIM (Privileged Identity Management) roles. At this stage, you do not need to delve into the specific details of each role, but rather focus on understanding the structure of the roles and the underlying reasons for their necessity. I strongly recommend having key stakeholders present in the discussion to advocate for the importance of each role.

Here are my guidelines for defining the role categories:

1. Avoid overly specific PIM roles, such as "Azure App Insights Data Purger."

2. Minimize the hierarchy as much as possible, avoiding roles like "The real God mode for super admins of Australasia region."

3. Always consider the distinction between production workload and non-production workload. It is impractical for someone to require PIM access multiple times a day just to check Azure Application Insight data for non-production workload.

4. Ideally, when defining the role categories, focus the conversation on "who can manage what's in the infrastructure" rather than on "infrastructure management" itself. Automation should handle infrastructure management. However, if automation is not currently in place, take it into consideration during your discussions and role design.

5. Remember that less is always better. Always strive for simplicity and minimize the number of roles involved.

Lesson 3: Map out what’s in the buckets - The PIM rights.

Once you have defined the PIM roles, it is essential to establish a clear connection between PIM roles and different Azure roles and permissions. Many people tend to create custom roles, which is a common mistake. Azure already provides a range of built-in roles that cover most scenarios. While there may be rare situations that occur once in a blue moon, it is best to stick with simplicity.

To avoid future complications, here are some guidelines to follow:

1. Minimize the use of custom roles unless there is a compelling reason. Remember, your company is not the only one facing these challenges.

2. Role-based mapping is key to achieving optimal results.

3. Always give user the least amount of permission they need to do their job. The last six words are more important than the rest of the sentence!

Lesson 4: Document what is what, and keep it up-to-date

If you have previously experienced a poor implementation of PIM, you might find this situation familiar. You may be eligible for multiple PIM roles, but when it comes to role activation, you are uncertain which one provides the necessary access.

Take a moment to pause and reflect. If you find yourself eligible for numerous PIM roles, it indicates that there has been a lack of clarity in defining the required roles and their respective responsibilities.

To address this issue, I recommend to document the PIM roles along with their corresponding permission levels. A simple and effective method is to create an Excel spreadsheet where you can clearly outline the roles and permissions. Sharing this document with everyone involved will ensure transparency and facilitate better understanding of the roles and their associated access rights.

Establish a systematic approach for managing changes in PIM role definitions, ensuring that updating the documentation is an integral part of this process.