Configuring Intune RBAC just-in-time admin access with Entra ID PIM for Groups & Conditional Access

-

For a long time Role-based access control (RBAC) has been the method of choice for managing access to organization's resources by using built-in Intune roles. However, there was no way to enforce just-in-time like access control against these roles. This changed earlier in the year 2023, when Microsoft released Privileged Identity Management (PIM) for Groups which allowed creating a just-in-time (JIT) policy to support a wide range of roles such as Microsoft Entra roles, Azure resource roles, Microsoft Intune and non-Microsoft application roles and services. 

As of writing this blog, this feature together with PIM integration with Conditional Access went into GA which has now enabled organizations to enforce specific requirements for PIM role activations, thus enhancing the overall security posture.

In this blog post, I explore these methods on how to give users just-in-time privileged access to Intune RBAC by using PIM for Groups and leveraging CA by enforcing additional security checks in form of MFA. 

The scenario involves elevating permissions of a Read Only Operator to Cloud PC Administrator using Intune RBAC, PIM for Groups and CA.

Creating the groups in Entra ID

- Create a standard group with assigned membership. Note - You can use an existing group as well.

Intune - RBAC - Intune Read Only Operator


- Add necessary members in the group. For all intent and purposes I am adding a user who is assigned a Read only access role in Intune.


Entra ID - Intune Administrators

- Create the second group assigned as role-assignable or non-role-assignable. A role-assignable group is one that can be assigned to a role in Azure AD. Such a group can only be managed by Global Administrator, Privileged Role Administrator, or the group Owner which will help in preventing an admin from elevating to a higher privileged role without going through a request and approval procedure.

- No need to add members in this group as it will be used in PIM for groups to implement JIT. 

Configure the PIM for Groups in Entra ID

- Navigate to Microsoft Entra admin center > Privileged Identity Management > Groups 

- Click on Discover Groups, select & onboard the second group Entra ID - Intune Administrators


Select the onboarded group, and under Manage, select Assignments to add a new assignment.
- Select role as Member and add the first group Intune - Intune Read Only Role as member.


- Select Assignment type as Eligible.


- Once the assignment is created, select Settings to choose how long the group membership will last and how a user can be approved.


- Set the activation duration and 'On activation, require', select Microsoft Entra Conditional Access authentication context

I am selecting Strong Authentication as the context which I will be leveraging in a Conditional Access policy, covered in the next section of this article.

Create a Conditional Access policy for Authentication Context


- Select Protection > Conditional Access > Policies.

- Select Policies > New policy to create a new policy.

- Create a new policy and specify the intended targeted users\groups\roles.


- Select authentication context.


- Under Grant action, select Require authentication strength > MFA



Assign built-in roles in Intune

- In the Intune admin center, navigate to Tenant administration > Roles.

- Select the desired least privilege role. In this example, I chose Read Only Operator.

- In the Role, go to Assignments and assign the first group was created i.e. Intune - RBAC - Intune Read Only Operator

- Select the necessary scope groups and save.


- Since I am testing for elevation, I configured another role Cloud PC Administrator by repeating the steps from above, only this time I have used the PIM group Entra ID - Intune Administrators for role assignment.

Policies in Action

After the role assignment settings are completed, the members of the least-privilege group (Intune - RBAC - Intune Read Only Operator) will be able to request elevated privileges by requesting to be temporarily added to the managed group (Entra ID - Intune Administrators).

Member of Intune - RBAC - Intune Read Only Operator group signs in and has read only permissions.


The user requests for elevation by navigating to  Intune admin center > Tenant administration > Azure AD Privileged Identity Management > My roles > Groups


User will be asked to satisfy the controls through the CA policy.


Once satisfied, the user will be temporary added in the PIM group.


The assignment will report as active.


User's permissions will be elevated in Intune.


One can validate in the Entra ID sign-in logs for successful enforcement of the CA policy.



Final thoughts..

Least-Privilege Administrative Models are security best practices where users only have the access they need to perform a given task. This helps prevent unauthorized or accidental changes, data breaches, and compliance violations. Part of Microsoft Entra ID Governance and Microsoft Entra ID P2, you can now further simplify least privilege access by enabling just-in-time access for all resources that support security group or Microsoft 365 group assignments.

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more