Posted by: kurtsh | September 4, 2021

BETA: Privileged Identity Management with Azure Lighthouse enables Zero Trust

Azure customers being managed by Azure Lighthouse… rejoice!  If you’ve been using Azure Lighthouse to allow others to manage your department or organization’s Azure subscriptions/enrollments, you’ll be able to use privileged access using Azure AD PIM to:

  • Only allow others to access your Azure environment when necessary
  • Use “just-in-time” access controls to permit service providers to make changes to your Azure cloud
  • Reduce access to your Azure environment to “least privilege” access

Today we are very excited to announce the latest iteration in our journey towards Zero Trust and least privilege access: The preview of Azure Active Directory Privileged Identity Management (Azure AD PIM) integration with Azure Lighthouse.

To understand how this integration enables least privilege access, consider the example of the company Contoso, which partners with a service provider to manage their network security. Contoso wants to make sure that this partner is following best practices around least privilege. In particular, Contoso doesn’t want the partner to have standing access to their resources. Instead, the partner should gain access only when it is necessary for them to perform some operation.

To achieve this, the service provider crafts their offer in Azure Lighthouse so that it requires their operators to elevate their access to a privileged role before they can work on Contoso’s network. This just-in-time (JIT) access only lasts for a limited period (up to eight hours), after which the access for that operator is automatically removed, and they go back to having read-only access to Contoso’s delegated resources. Additionally, Contoso can require that the service provider obey a defined set of policy options when authenticating, such as requiring multifactor authentication. These capabilities are free to Contoso as a customer because they are granted as part of the service provider’s tenant.

Read more here:


%d bloggers like this: