0:01 Hello everyone and welcome back to the
0:02 channel. My name is Jim Singh and in
0:04 this particular video we will explore
0:07 privilege access management PAM what
0:09 exactly it is and how we can configure
0:11 it. So let's get started and first
0:14 understand what it is and then we will
0:16 go towards the practical implementation
0:18 of it. Let's explore what exactly
0:21 privilege access management is. So this
0:23 particular session is about u privilege
0:25 access management or you can also call
0:28 it PAM. The idea is very simple. Instead
0:31 of giving administrators permanent
0:35 highle access, this PAM will give the
0:38 temporary and task specific access to
0:41 the admins. And this is very important
0:43 because it reduces the risk if an
0:46 account gets compromised.
0:49 So if I go through this bullet points,
0:51 it says granular control over privilege
0:54 task. we will have just in time or just
0:57 enough access to the admins and it will
1:00 protect against a standing admin
1:03 vulnerabilities. Now why we should think
1:06 it we already talked about it. So
1:09 normally if I talk about our traditional
1:11 environment admins often have permanent
1:14 highle rights and if their account is
1:18 brised or got compromised the attacker
1:22 gets everything. So the PAM removes the
1:24 risky by eliminating standing privileges.
1:25 privileges.
1:28 An admin must request and get approved
1:31 for a specific task for a limited time.
1:34 So as I said this is the very pain point
1:36 for the organization because
1:38 administrators are having lot of
1:40 standing privilege and that's very
1:42 risky. It's not will so the PAM will
1:45 give you zero standing privilege because
1:47 it gives approval based and time bound
1:50 access. The major benefit I would say it
1:53 reduces the insider and external threats
1:56 adds the approval workflow for elevated
1:59 actions and it provides you the audit
2:01 trail for the transparency. You will
2:03 have clear visibility and complements
2:06 other Microsoft 365 protections. So you
2:09 can see the benefits are layered. PAM
2:12 stops unauthorized use of admin rights,
2:14 ensures every critical action is
2:17 approved and keeps logs of everything
2:19 for audits. So it doesn't replace
2:22 security but adds another shield on it.
2:24 Now let's understand the layer of
2:26 protection. So here at this place you
2:29 can see if I talk about security or the
2:32 protection layers. So we have to do
2:34 encryption role based access control. So
2:37 for encryption we have uh I mean
2:39 unauthorized access prevention for role
2:41 based access control you assign the role
2:46 and risk best standing accesses
2:48 and there we can use arbback that is
2:50 coming from the cloud services and the
2:51 conditional access that you can put
2:54 where we can have better control okay in
2:55 this condition you can access or in
2:58 which condition you cannot access and we
3:00 can also think about just in time and
3:03 just enough access and that can be
3:05 implemented in Azure your AD privileged
3:07 identity management. You must heard
3:10 about it and experienced it. And we also
3:12 have PAM which is privileged access
3:15 management which is in office 365. So
3:17 any administrative action can be
3:19 protected and will send for the
3:22 approvals. We have native M365
3:26 encryption PAM entrop and together you
3:29 get multi-layer just in time access. So
3:32 think of this as a layers. Encryption
3:34 protects the data. Arbec defines the
3:37 roles. PAM protects the task and intra
3:41 pim protects your intra roles. So PAM is
3:45 very granular. It secures specific task
3:47 while pim secures broader role
3:49 assignments. Now let's understand the
3:51 architecture of it. Here if you see the
3:54 workflow, it is very straightforward.
3:57 First you set the policy. The next a
3:59 user request for access and then the
4:03 approver get notified and must decide
4:05 what action should be taken for that
4:08 user. If approved the system may allow
4:10 the task temporarily and if not it will
4:13 get rejected and all the action in this
4:15 workflow is getting logged for
4:17 accountability. So later you can check
4:19 it out and if you have to make a
4:22 decision in the process you can do it.
4:24 So it has been categorized in four layer
4:27 policy creation, access request, access
4:30 approval and final access processing.
4:32 Now let's understand it with one
4:35 example. One admin wants to export a
4:37 mailbox. So what they'll do? They'll
4:40 request for access. The moment they will
4:41 request for the access, if you have
4:44 integrated PAM workflow in it, so it
4:46 will trigger a PAM workflow. then it
4:49 will reach out to the approver and if
4:51 the approver grants that will also for
4:54 the time specific then only the user can
4:56 access. So admin complete their task and
4:58 access automatically removed after this
5:02 certain time or approved time and as I
5:04 said all these steps will loged for
5:06 audit history. I would say the takeaway
5:09 is the PAM uh functionality PAM
5:12 benefits. So as we discussed the PAM
5:14 eliminates the standing privilege,
5:17 enforces just in time access and ensures
5:19 better security governance. So combined
5:23 with entrap it gives both task level and
5:26 role level protection. Okay. So I hope
5:28 you got an idea what exactly privilege
5:30 access management is. Let's see how we
5:32 can configure it. Okay. Let's see how we
5:34 are going to configure privilege access
5:37 management in Microsoft 365 admin
5:39 center. So as you can see we logged in
5:42 on Microsoft 365 admin center and first
5:44 we are going to create a group that
5:47 group will have members who will act
5:49 like approver. So if any admin is doing
5:51 some uh you can say administrative
5:54 actions for that approval request will
5:56 reach out to this place and the member
5:58 from this group will approve or reject
6:00 depends on the requirement. So to do
6:03 that let's go to the group section add a
6:04 group. Here we will select the group
6:07 type. It can be any of this. So mail
6:10 enabled security and there we can
6:12 specify the name in this case privileged
6:16 access approvers any email address for
6:18 this group and we'll provide description
6:22 for it. Let's add this group and close
6:24 it. Now we are going to add the member
6:26 at this place. So let's select that
6:28 group. We will go to the member section.
6:30 Right now we have zero member. Let's
6:33 edit it and we are going to add the
6:37 members. So for example, Emily and Candy
6:40 will be the member. Let's save it and
6:43 close it. Now let's go and do the
6:46 setting related to this privilege access
6:47 management. For that we'll come to the
6:50 security and privacy. And at this place
6:53 you will see if I'll scroll it down
6:56 there we have something called privilege
6:59 access. There we are going to edit it.
7:01 So we'll click on edit. Here we have
7:03 this toggle button that tells you
7:06 require approvals for privileged tasks.
7:08 So if any admins are going to do such
7:11 task there approval would be required.
7:13 And here we are going to select what
7:15 privileged access approvers. If you
7:16 remember this is the group which we
7:18 created. So we are going to pick the
7:21 group here not individual user. So any
7:24 member from this particular group will
7:26 approve the request or reject the
7:30 request. Let's save it. Now for that we
7:32 have to create the policy because we
7:34 need to define what kind of task is
7:36 considered as a privilege task not any
7:38 or random task can fall under the
7:40 privilege task. So for that we are going
7:42 to create the policy. If I click on the
7:44 policy there we have configured policy
7:47 option. If I go to that place add the
7:49 policy and here we have to declare the
7:53 policy. So policy type is a task related
7:56 role related or role group related. task
8:00 is specific. If I go to this Exchange or
8:02 Office 365 under the scope either the
8:04 task is related to the Exchange or
8:07 Office 365. I can go to the exchange for
8:09 now. And there we have policy name.
8:11 There we can say select policy name. At
8:13 this place you can see there are
8:15 multiple like add active directory
8:18 permissions, mailbox folder permission
8:20 if someone is adding the mail permission
8:23 or exporting the mailbox or maybe
8:25 exporting the messages. So there are
8:28 multiple policies pre-built policies we
8:32 have. Let's go for the journal rule and
8:35 then we have to select the approval
8:37 type. Here we'll ask manual or
8:39 automatic. The request should get
8:41 automatically approved or manually
8:44 someone will approve or reject it. In
8:45 our case we are going to test it
8:47 manually because we have to see the
8:50 experience how actually it works in a
8:53 back end. So go with manual. And as you
8:54 can see we have already selected this
8:56 approval group. So automatically it has
8:59 picked that group here. Now click on
9:01 create. Now it got created and see I
9:04 logged in with a different user and this
9:06 user is one of the admin in our
9:08 organization. Let's see what if that
9:11 admin is trying to do something some
9:14 privilege activity. So as per our policy
9:17 the request should not take place and it
9:18 should get forwarded to the approvers
9:21 for approval. So for that user has
9:24 logged in in a powershell and from here
9:26 a user will try to execute some
9:29 privileged activity generally related.
9:32 So let's go and execute first command to
9:33 get established or the get connection
9:36 with exchange online. I logged in with
9:39 that user sign in. And now the
9:42 connection must get established. There
9:45 we go. The connection got established.
9:46 Now the task which we are going to
9:48 perform is what? will execute a command
9:51 that will create a journal rule and in
9:54 this case it will send a shadow copy of
9:58 every email to mailbox u to the outside
10:00 of the organization. So if I see the
10:02 command that's the command where we are
10:05 executing new journal rule recipient
10:07 will this and journal email address is
10:09 going to be this name would be this
10:12 scope is this and it's enabled or not
10:15 let's execute and as you can see as
10:17 expected it tells you that you have
10:21 insufficient permission please raise an
10:24 elevated access request for this task
10:26 because we created the rule and as per
10:28 that rule this this particular task
10:31 falls under the privilege task. So let's
10:33 see how we can do that. So this user
10:35 will go to their setting there we will
10:38 have security privacy inside that
10:40 they'll get this option under privileged
10:42 access manage access policy and
10:45 requests. So if I click on that I mean
10:47 that user will click on that and raise a
10:50 new request. While raising this request
10:53 the user will specify what task type it
10:55 is I mean what type of request it is.
11:00 Then is it is it related to which scope?
11:02 Then we are going to select
11:06 the uh you can say request for
11:09 and a specific duration
11:13 means how long you need this access
11:15 2 hours
11:17 and the justification I would say or the
11:19 comment where you need to specify why
11:23 exactly you're looking access for this.
11:25 Now this is in progress. Once that
11:27 request has been raised, we can close
11:29 it. Now let's say experience what will
11:31 happen once that request has been raised
11:35 by the user. So one of the member from
11:38 the approval group or all of the member
11:40 from the approval group will receive one
11:42 notification email at this place. As you
11:44 can see this is how it looks like. their
11:46 user I mean the admin will get to know
11:48 who has requested what is the access
11:51 level then duration how long they're
11:52 requesting what is the reason and
11:55 everything now to approve it you can go
11:57 directly to this admin portal being an
11:59 approver and there you will see under
12:02 this privilege access request the
12:04 request if I click on the request there
12:05 we will have the complete detail
12:09 information what exactly um is the
12:11 reason uh for the user to request such
12:13 things and you have this option then
12:16 either you can approve or deny it as per
12:18 your finding. Now in this case we are
12:20 going to approve it. So let's approve
12:22 it. Now this has been successfully
12:24 approved. Let's close it. Now let's go
12:26 back and experience from the user side.
12:30 So again I logged in with the admin
12:31 those who have requested. And if you can
12:34 see this admin has also received one
12:36 notification. If you see it has two
12:39 email. the first when the admin has sent
12:42 the request for approval and second once
12:44 the request got approved. So now the
12:47 user will get to know okay requested um
12:50 you can say request for the task got
12:52 approved now so they'll go and try to
12:55 execute one more time again we have
12:57 established the connection with exchange
12:59 this is how we can raise a request once
13:02 you establish the connection now we can
13:04 go and execute the same command which we
13:06 were trying earlier and this time as you
13:08 can see this got executed because you
13:12 approved it. Now let's minimize it and
13:14 now let's experience
13:16 how we are going to being an admin how
13:18 we can go and explore all the activities
13:20 which is being taken or ex being
13:22 executed by the admins in our
13:24 organization. For that we'll go to this
13:26 admin center. There we have a security
13:29 and compliance. Inside that security and
13:31 compliance we will have something called
13:33 search and investigation. If I'll go to
13:37 this there we have audit log search.
13:39 And there you will see we have audit log
13:41 search which tells you okay how the
13:42 search would take place what are the
13:44 activities you can pick the activities
13:46 start date end date the duration
13:49 everything in our case we are not going
13:51 to specify let's search all the activity
13:53 which is done by the user so click on search
13:55 search
13:59 and there we found lot of activities uh
14:04 as you can see date IP addresses user
14:06 activity type and all details as you can
14:08 See this is the activity where the user
14:10 has just created the general rule. If I
14:13 click on this activity, we have basic
14:15 information as well as detail
14:17 information. And here it provides you
14:20 all the information like creation time,
14:23 external access, ID was this and the
14:25 parameters that has been executed. So if
14:27 I'll go down there, we will have clear
14:29 visibility what exactly that user has
14:31 done. Okay. This is how we can configure
14:34 privilege access management in Microsoft
14:38 Office 365. Okay, I hope you got an idea
14:40 how we can configure privilege access
