In today's digital landscape, managing privileged access to applications is crucial for maintaining security and compliance. Microsoft Entra Privileged Identity Management (PIM) offers a robust solution to manage, control, and monitor access within your organization. In this guide, we'll walk you through the process of configuring Microsoft Entra PIM for your application, Delegate365, ensuring that only authorized users can access it through a security group.
Delegate365 is equipped with robust security features and offers seamless integration with Microsoft Entra Privileged Identity Management right out of the box. This integration ensures that administrators can only access Delegate365 using their standard work accounts when the PIM role is activated. Without activating the PIM role, access to Delegate365 is denied.
This article provides a guide on configuring PIM for Delegate365. You can find out details about PIM at What is Microsoft Entra Privileged Identity Management?
Requirements for using PIM
Please note that you can only use Microsoft Entra Privileged Identity Management (PIM) if you have one of the following licenses:
- Azure Active Directory (AD) Premium P2: This is available as a standalone add-on license.
- Microsoft 365 Enterprise E5: This includes the necessary PIM features.
- Microsoft 365 Education A5: Suitable for educational institutions.
- Enterprise Mobility + Security (EMS) E5: This bundle also includes PIM capabilities.
These licenses grant you full access to PIM features, enabling you to effectively manage, control, and monitor privileged access.
Configure PIM for Delegate365
First, we create a new security group with eligible members for PIM. Then, we allow only PIM activated group members access to the Delegate365 App. Follow these steps:
- Open the Azure portal, and sign-in as Global Administrator of your M365 tenant.
- Navigate to Entra ID - Groups and click on New group.
- Create a new security group. Here, we name this group "Delegate365-PIM-Group", and click on Create.
Do not add members here. We will do this later in the following steps with eligible PIM members. - When the group has been created, open it, and click on Activity / Privileged Identity Management menu. Click on the button "Enable PIM for this group" as here.
- Now we add members to the eligible PIM settings. Click on Eligible assignments and then click on Add assignments.
- in the Add assignments page, select the role Member, and add the users that shall get access. In this sample, we add the users admin, and AdeleV. When done, click on Next.
- Configure the assignment type to Eligible and the time frame as needed. Confirm with the Assign button.
- The assignment is made. In our sample, the two users can activate the group membership.
- The group is now ready to use. We have to configure the Delegate365 Sign-In app to
- Open the Micrtosoft Entra ID module, and navigate to Manage / Enterprise applications.
- In the Enterprise applications, search for "Delegate", and set the filter Application type to All Applications to see all apps. Click on the "Delegate 365 Multitenant" app. This app is used for the login process.
You can find more information about the apps under Delegate365 Applications. - Note: If you find multiple apps named "Delegate 365", you can find the current app in Delegate365, in Administration / App settings menu as here. In this sample, we identify the Multi tenant app with the Application Id "5f3ff...".
- In the app settings, open the Properties menu. Set Assignment required to Yes. Click on Save.
- Open the Users and Groups menu and click on Add user/group.
- Click on the link None selected below Users and groups. Search for the group "Delegate365-PIM-Group" and select it. When done, click on Select.
- Confirm by clicking on the Assign button.
- Now we have configured the Delegate 365 Multitenant app to be only accessible for members of that group. The configuration is completed.
Try it out without PIM
Now let's try it out.
- Try to open Delegate365 with a user, here with the account "admin". Open a browser in In-Private mode, and open the Delegate365 URL.
- After the sign-in process, we get an error:
"Your administrator has configured the application Delegate 365 Multitenant ('5f3ff1c7...) to block users unless they are specifically granted ('assigned') access to the application. The signed in user 'admin@M365....onmicrosoft.com' is blocked because they are not a direct member of a group with access, nor had access directly assigned by an administrator. Please contact your administrator to assign access to this application."
- So, the user cannot get access with the user to Delegate365.
Activate PIM and open Delegate365
Now let´s activate our group with PIM and sign-in. Follow the steps here, or see the article at Activate a Microsoft Entra role in PIM.
- Open https://portal.azure.com with your user and sign-in.
- Search for "Privileged Identity Management ". Click on Tasks / My roles.
- Click on Activities / Groups. In Eligible assignments, the group "Delegate365-PIM-Group" should show up. Click on the Action Activate on the right side to activate the membership for this group.
- Enter the duration and a justification for the activation of the group membership.
- PIM is now activating the role. This process can take a minute or so.
- When done, the Active assignment is shown as here.
- Now open another browser tab, and open the Delegate365 URL. With activated PIM, the Delegate365 portal opens and grants access to it´s functions.
- Delegate365 can now only be used by authorized users with an active PIM role for the "Delegate365-PIM-Group".
When the PIM role has expired
If an activity occurs in Delegate365 and the PIM role has expired, a notification message will appear indicating that no PIM is activated. At this point, Delegate365 will become unusable. The role is only provisioned for the requested duration and must be re-requested each time you need to use Delegate365.
Summary
In conclusion, implementing Microsoft Entra ID Privileged Identity Management (PIM) for Delegate365 is a crucial step in enhancing your organization's security and compliance. PIM provides a robust framework for managing, controlling, and monitoring privileged access, ensuring that only authorized users can perform critical tasks. By leveraging PIM, you can enforce just-in-time access, reduce the risk of unauthorized access, and maintain a secure environment for your applications.
If you haven't already configured PIM for Delegate365, now is the perfect time to do so. Follow the steps outlined in this guide to set up PIM and take control of your privileged access management. Secure your application, protect your data, and ensure compliance with regulatory requirements by integrating PIM into your Delegate365 environment today.