The Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD) presentation from last week’s Black Hat conference by Sean Metcalf , CTO of Trimarc ,and Mark Morowczynski, principal program manager, Microsoft, got me thinking about Office 365 settings that admins should review. One setting that Office 365 administrators should evaluate is Privileged Identity Management (PIM).

The idea behind PIM is that rights for administrative roles should be enabled only when you need them. If you are the first person in your organization to sign up for Azure accounts, you will be given the roles of security administrator and privileged role administrator. Any other user/administrator in the organization should have admin rights only when they need them.

To be able to use PIM, you need to have a license for Azure Active Directory (AD) Premium P2, Enterprise Mobility + Security (EMS) E5 or Microsoft 365 M5. For Azure AD, you only need to license the feature you want per person. For Office, however, licenses are generally needed for all users. To use PIM, you can purchase Azure P2 licenses for administrators or users who have PIM roles, but have P1 or basic Azure AD licenses for all other users.

A P2 license is required for:

  • Administrators with Azure AD roles managed using PIM
  • Administrators with Azure resource roles managed using PIM
  • Administrators assigned to the privileged role administrator
  • Users assigned as eligible to Azure AD roles managed using PIM
  • Users able to approve/reject requests in PIM
  • Users assigned to an Azure resource role with just-in-time or direct (time-based) assignments
  • Users assigned to an access review
  • Users who perform access reviews.