As I have mentioned earlier, I believe and hope that Microsoft will be implementing more and more self service features in Azure.
This is because I believe that automation and self service are key components in a secure infrastructure, simply because manuel processes often are bypassed or not followed correctly. Either because the process is poorly described or implemented or because it´s easier to not.
Automated processes does the job as good as they are programmed to, everytime!
From that perspective Microsofts release of custom roles in Azure AD Privileged Identity Management is a great new feature.
As always, it is not quite there yet, but I hope that they will evolve this feature to meet my expectations.
As you will know if you read earlier posts, Privileged Identity Management is a feature that allows for dynamically adding privileges to varoius types of administrative roles.
But with the new release it is possible to create custom roles in Azure AD, that can be controlled in Privileged Identity Management.
There are 3 steps to this, creating the role in Azure AD, adjusting settings for the custom role in PIM and assigning members.
Creating the role in Azure AD:
Creating a custom role is a fairly simple procedure.
Locate Roles and administrators under Azure Active Directory and choose New custom role at the top.
Name the role.
Add the permissions.
And create the custom role.
As I wrote it is fairly simple. It will after a sync be available in PIM, from my tests, this takes a little time, so be patient.
Adjusting the settings:
First locate Custom roles in PIM under Manage.
Under manage select Settings and select the role you wish to configure
Click Edit in the top and set the settings as desired
Assigning members:
Under manage roles your custom role should now be listed. Select the custom role and click Add member
This will bring up the following where you can select the directory, custom role, members and settings
After setting the settings wanted, I can now see the new custom role under my roles.
Selecting Activate, I will get the normal PIM Activation window.
Conclusion
As mentioned I am a big fan of automation when it comes to security management and this feature is straight up my ally.
Note that it is a preview so test it out, but I wouldn´t recommend building any new business processes on it yet.
