blog.atwork.at

news and know-how about microsoft, technology, cloud and more.

Use Delegate365 with Privileged Identity Management (PIM)

In today's digital landscape, managing privileged access to applications is crucial for maintaining security and compliance. Microsoft Entra Privileged Identity Management (PIM) offers a robust solution to manage, control, and monitor access within your organization. In this guide, we'll walk you through the process of configuring Microsoft Entra PIM for your application, Delegate365, ensuring that only authorized users can access it through a security group.Delegate365 is equipped with robust security features and offers seamless integration with Microsoft Entra Privileged Identity Management right out of the box. This integration ensures that administrators can only access Delegate365 using their standard work accounts when the PIM role is activated. Without activating the PIM role, access to Delegate365 is denied.This article provides a guide on configuring PIM for Delegate365. You can find out details about PIM at What is Microsoft Entra Privileged Identity Management?Requirements for using PIMPlease note that you can only use Microsoft Entra Privileged Identity Management (PIM) if you have one of the following licenses:Azure Active Directory (AD) Premium P2: This is available as a standalone add-on license. Microsoft 365 Enterprise E5: This includes the necessary PIM features. Microsoft 365 Education A5: Suitable for educational institutions. Enterprise Mobility + Security (EMS) E5: This bundle also includes PIM capabilities.These licenses grant you full access to PIM features, enabling you to effectively manage, control, and monitor privileged access.Configure PIM for Delegate365First, we create a new security group with eligible members for PIM. Then, we allow only PIM activated group members access to the Delegate365 App. Follow these steps:Open the Azure portal, and sign-in as Global Administrator of your M365 tenant.Navigate to Entra ID - Groups and click on New group.Create a new security group. Here, we name this group "Delegate365-PIM-Group", and click on Create.Do not add members here. We will do this later in the following steps with eligible PIM members.When the group has been created, open it, and click on Activity / Privileged Identity Management menu. Click on the button "Enable PIM for this group" as here.Now we add members to the eligible PIM settings. Click on Eligible assignments and then click on Add assignments.in the Add assignments page, select the role Member, and add the users that shall get access. In this sample, we add the users admin, and AdeleV. When done, click on Next.Configure the assignment type to Eligible and the time frame as needed. Confirm with the Assign button.The assignment is made. In our sample, the two users can activate the group membership.The group is now ready to use. We have to configure the Delegate365 Sign-In app toOpen the Micrtosoft Entra ID module, and navigate to Manage / Enterprise applications.In the Enterprise applications, search for "Delegate", and set the filter Application type to All Applications to see all apps. Click on the "Delegate 365 Multitenant" app. This app is used for the login process.You can find more information about the apps under Delegate365 Applications.Note: If you find multiple apps named "Delegate 365", you can find the current app in Delegate365, in Administration / App settings menu as here. In this sample, we identify the Multi tenant app with the Application Id "5f3ff...".In the app settings, open the Properties menu. Set Assignment required to Yes. Click on Save.Open the Users and Groups menu and click on Add user/group.Click on the link None selected below Users and groups. Search for the group "Delegate365-PIM-Group" and select it. When done, click on Select.Confirm by clicking on the Assign button.Now we have configured the Delegate 365 Multitenant app to be only accessible for members of that group. The configuration is completed.Try it out without PIMNow let's try it out. Try to open Delegate365 with a user, here with the account "admin". Open a browser in In-Private mode, and open the Delegate365 URL. After the sign-in process, we get an error:"Your administrator has configured the application Delegate 365 Multitenant ('5f3ff1c7...) to block users unless they are specifically granted ('assigned') access to the application. The signed in user 'admin@M365....onmicrosoft.com' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application."So, the user cannot get access with the user to Delegate365.Activate PIM and open Delegate365Now let´s activate our group with PIM and sign-in. Follow the steps here, or see the article at Activate a Microsoft Entra role in PIM.Open https://portal.azure.com with your user and sign-in.Search for "Privileged Identity Management ". Click on Tasks / My roles.Click on Activities / Groups. In Eligible assignments, the group "Delegate365-PIM-Group" should show up. Click on the Action Activate on the right side to activate the membership for this group.Enter the duration and a justification for the activation of the group membership.PIM is now activating the role. This process can take a minute or so.When done, the Active assignment is shown as here.Now open another browser tab, and open the Delegate365 URL. With activated PIM, the Delegate365 portal opens and grants access to it´s functions.Delegate365 can now only be used by authorized users with an active PIM role for the "Delegate365-PIM-Group".When the PIM role has expiredIf an activity occurs in Delegate365 and the PIM role has expired, a notification message will appear indicating that no PIM is activated. At this point, Delegate365 will become unusable. The role is only provisioned for the requested duration and must be re-requested each time you need to use Delegate365.SummaryIn conclusion, implementing Microsoft Entra Privileged Identity Management (PIM) for Delegate365 is a crucial step in enhancing your organization's security and compliance. PIM provides a robust framework for managing, controlling, and monitoring privileged access, ensuring that only authorized users can perform critical tasks. By leveraging PIM, you can enforce just-in-time access, reduce the risk of unauthorized access, and maintain a secure environment for your applications.If you haven't already configured PIM for Delegate365, now is the perfect time to do so. Follow the steps outlined in this guide to set up PIM and take control of your privileged access management. Secure your application, protect your data, and ensure compliance with regulatory requirements by integrating PIM into your Delegate365 environment today.

Why Only Users Can Apply Sensitivity Labels in Microsoft 365

Sensitivity labels in Microsoft 365 are a crucial feature for organizations to protect and manage their data. These labels allow organizations to classify and safeguard sensitive information based on its level of confidentiality. By applying sensitivity labels, organizations can control access, encrypt data, apply policies, and track and monitor on sensitive information. Users can apply sensitivity labels to classify and protect their data. However, applications unfortunately cannot currently assign sensitivity labels.

Grant permissions to the GT365 app

Our Governance Toolkit 365 (GT365) provides information and automation solutions for a Microsoft 365 tenant. In order to use the functions, this app must be approved by an administrator. In addition, new solutions are constantly being added. Some of these also require new permissions. You can find out how you as an administrator can grant and renew these permissions here.

Retrieve User PIM Role Assignments and History with Microsoft Graph REST API

Microsoft Entra Privileged Identity Management (PIM) allows administrators to manage role assignments efficiently, ensuring that users have the necessary permissions only when needed. By following a few simple steps, administrators can make users eligible for specific roles, activate roles as required, and manage both built-in and custom roles. This process enhances security by minimizing the duration and scope of privileged access, making it a crucial tool for maintaining a secure and compliant environment. In this article, we explore how to read a user's Microsoft Entra roles and history using PIM and the Microsoft Graph REST API.

List Flows as Admin V2 API endpoint

A year ago, Microsoft announced the Transition to List Flows as Admin V2 action from deprecated List Flows as Admin action” for Power Automate. Well, we were using the old API endpoint until it stopped working recently. It took some time until we found workarounds or a successor. Also the PnP modules still are using the old API, and the endpoint address is currently not documented on any Microsoft website. Find it here!

Enhance your Copilot with Graph Connector relevance tuning

Utilizing Graph connectors simplifies the process of incorporating your data into Microsoft 365 search and Microsoft 365 Copilot, enhancing your experience with seamless integration. A fresh addition to Copilot’s capabilities is the Relevance Tuning feature, that significantly enhances Copilot's functionality.

Working with Microsoft Entra ID Applications - Part 2

In Part 2 of this series we look into setting up and managing applications in a Microsoft 365 tenant. In Part 1, I focused on how Azure AD applications can be used to provide secure access control to data and services. I demonstrated how to create an Azure AD application in the home tenant and the importance of integrating with Azure AD for centralized app registration, management, and security measures.

Working with Microsoft Entra ID Applications - Part 1

Microsoft Entra ID (or Azure AD) applications are cloud-based applications that can be integrated with Azure AD for authentication and authorization purposes. Using such applications provides a way to centrally manage and secure access to your cloud-based applications and services using Azure AD identities and credentials.

Create a new Viva Engage Community with Graph

In early 2023, Microsoft renamed Yammer to Viva Engage. This year we see the first small integration of Viva Engage with Microsoft Graph in beta. This article shows how to provision a new Viva Engage community, add owners and members using Graph in an Azure Logic app.