Requires either Entra ID P2 or Entra ID Governance
- Create a security group with the option to have Entra roles assigned to it.
- Go to the Privileged Identity Management page.
- Find a role and assign the newly created group in the Eligible assignments tab.
- For most cases this will be Permanently eligible, but for contractors - the time bound option works.
- Go to the Settings page, defaults are a good start - 8 hours with MFA. No need to change for now.
Let's test this out with the Exchange Admin role, login using the admin account added as a member of that newly created group.
- Go to admin.cloud.microsoft/exchange#/homepage, at this point this account has no Entra roles yet.
- Go to portal.azure.com and find the Privileged Identity Management page.
- Go to Tasks\My roles\Microsof Entra roles.
- Click on Activate for the role you want to activate.
- It will prompt for a reason, keep the default 8 hours, and wait for several seconds.
- On the Active assignments you should see the time-bounded role.
- Go back to admin.cloud.microsoft/exchange#/homepage.
No comments:
Post a Comment