Hang tight while we fetch the video data and transcripts. This only takes a moment.
Connecting to YouTube player…
Fetching transcript data…
We’ll display the transcript, summary, and all view options as soon as everything loads.
Next steps
Loading transcript tools…
Privileged Access Management in Microsoft 365 | What, Why & How Explained | Cloud360 Training | YouTubeToText
YouTube Transcript: Privileged Access Management in Microsoft 365 | What, Why & How Explained
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
Video Summary
Summary
Core Theme
Privileged Access Management (PAM) is a security strategy that grants temporary, task-specific elevated access to administrators, significantly reducing the risk associated with permanent high-level privileges and enhancing security governance through approval workflows and audit trails.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
Hello everyone and welcome back to the
channel. My name is Jim Singh and in
this particular video we will explore
privilege access management PAM what
exactly it is and how we can configure
it. So let's get started and first
understand what it is and then we will
go towards the practical implementation
of it. Let's explore what exactly
privilege access management is. So this
particular session is about u privilege
access management or you can also call
it PAM. The idea is very simple. Instead
of giving administrators permanent
highle access, this PAM will give the
temporary and task specific access to
the admins. And this is very important
because it reduces the risk if an
account gets compromised.
So if I go through this bullet points,
it says granular control over privilege
task. we will have just in time or just
enough access to the admins and it will
protect against a standing admin
vulnerabilities. Now why we should think
it we already talked about it. So
normally if I talk about our traditional
environment admins often have permanent
highle rights and if their account is
brised or got compromised the attacker
gets everything. So the PAM removes the
risky by eliminating standing privileges.
privileges.
An admin must request and get approved
for a specific task for a limited time.
So as I said this is the very pain point
for the organization because
administrators are having lot of
standing privilege and that's very
risky. It's not will so the PAM will
give you zero standing privilege because
it gives approval based and time bound
access. The major benefit I would say it
reduces the insider and external threats
adds the approval workflow for elevated
actions and it provides you the audit
trail for the transparency. You will
have clear visibility and complements
other Microsoft 365 protections. So you
can see the benefits are layered. PAM
stops unauthorized use of admin rights,
ensures every critical action is
approved and keeps logs of everything
for audits. So it doesn't replace
security but adds another shield on it.
Now let's understand the layer of
protection. So here at this place you
can see if I talk about security or the
protection layers. So we have to do
encryption role based access control. So
for encryption we have uh I mean
unauthorized access prevention for role
based access control you assign the role
and risk best standing accesses
and there we can use arbback that is
coming from the cloud services and the
conditional access that you can put
where we can have better control okay in
this condition you can access or in
which condition you cannot access and we
can also think about just in time and
just enough access and that can be
implemented in Azure your AD privileged
identity management. You must heard
about it and experienced it. And we also
have PAM which is privileged access
management which is in office 365. So
any administrative action can be
protected and will send for the
approvals. We have native M365
encryption PAM entrop and together you
get multi-layer just in time access. So
think of this as a layers. Encryption
protects the data. Arbec defines the
roles. PAM protects the task and intra
pim protects your intra roles. So PAM is
very granular. It secures specific task
while pim secures broader role
assignments. Now let's understand the
architecture of it. Here if you see the
workflow, it is very straightforward.
First you set the policy. The next a
user request for access and then the
approver get notified and must decide
what action should be taken for that
user. If approved the system may allow
the task temporarily and if not it will
get rejected and all the action in this
workflow is getting logged for
accountability. So later you can check
it out and if you have to make a
decision in the process you can do it.
So it has been categorized in four layer
policy creation, access request, access
approval and final access processing.
Now let's understand it with one
example. One admin wants to export a
mailbox. So what they'll do? They'll
request for access. The moment they will
request for the access, if you have
integrated PAM workflow in it, so it
will trigger a PAM workflow. then it
will reach out to the approver and if
the approver grants that will also for
the time specific then only the user can
access. So admin complete their task and
access automatically removed after this
certain time or approved time and as I
said all these steps will loged for
audit history. I would say the takeaway
is the PAM uh functionality PAM
benefits. So as we discussed the PAM
eliminates the standing privilege,
enforces just in time access and ensures
better security governance. So combined
with entrap it gives both task level and
role level protection. Okay. So I hope
you got an idea what exactly privilege
access management is. Let's see how we
can configure it. Okay. Let's see how we
are going to configure privilege access
management in Microsoft 365 admin
center. So as you can see we logged in
on Microsoft 365 admin center and first
we are going to create a group that
group will have members who will act
like approver. So if any admin is doing
some uh you can say administrative
actions for that approval request will
reach out to this place and the member
from this group will approve or reject
depends on the requirement. So to do
that let's go to the group section add a
group. Here we will select the group
type. It can be any of this. So mail
enabled security and there we can
specify the name in this case privileged
access approvers any email address for
this group and we'll provide description
for it. Let's add this group and close
it. Now we are going to add the member
at this place. So let's select that
group. We will go to the member section.
Right now we have zero member. Let's
edit it and we are going to add the
members. So for example, Emily and Candy
will be the member. Let's save it and
close it. Now let's go and do the
setting related to this privilege access
management. For that we'll come to the
security and privacy. And at this place
you will see if I'll scroll it down
there we have something called privilege
access. There we are going to edit it.
So we'll click on edit. Here we have
this toggle button that tells you
require approvals for privileged tasks.
So if any admins are going to do such
task there approval would be required.
And here we are going to select what
privileged access approvers. If you
remember this is the group which we
created. So we are going to pick the
group here not individual user. So any
member from this particular group will
approve the request or reject the
request. Let's save it. Now for that we
have to create the policy because we
need to define what kind of task is
considered as a privilege task not any
or random task can fall under the
privilege task. So for that we are going
to create the policy. If I click on the
policy there we have configured policy
option. If I go to that place add the
policy and here we have to declare the
policy. So policy type is a task related
role related or role group related. task
is specific. If I go to this Exchange or
Office 365 under the scope either the
task is related to the Exchange or
Office 365. I can go to the exchange for
now. And there we have policy name.
There we can say select policy name. At
this place you can see there are
multiple like add active directory
permissions, mailbox folder permission
if someone is adding the mail permission
or exporting the mailbox or maybe
exporting the messages. So there are
multiple policies pre-built policies we
have. Let's go for the journal rule and
then we have to select the approval
type. Here we'll ask manual or
automatic. The request should get
automatically approved or manually
someone will approve or reject it. In
our case we are going to test it
manually because we have to see the
experience how actually it works in a
back end. So go with manual. And as you
can see we have already selected this
approval group. So automatically it has
picked that group here. Now click on
create. Now it got created and see I
logged in with a different user and this
user is one of the admin in our
organization. Let's see what if that
admin is trying to do something some
privilege activity. So as per our policy
the request should not take place and it
should get forwarded to the approvers
for approval. So for that user has
logged in in a powershell and from here
a user will try to execute some
privileged activity generally related.
So let's go and execute first command to
get established or the get connection
with exchange online. I logged in with
that user sign in. And now the
connection must get established. There
we go. The connection got established.
Now the task which we are going to
perform is what? will execute a command
that will create a journal rule and in
this case it will send a shadow copy of
every email to mailbox u to the outside
of the organization. So if I see the
command that's the command where we are
executing new journal rule recipient
will this and journal email address is
going to be this name would be this
scope is this and it's enabled or not
let's execute and as you can see as
expected it tells you that you have
insufficient permission please raise an
elevated access request for this task
because we created the rule and as per
that rule this this particular task
falls under the privilege task. So let's
see how we can do that. So this user
will go to their setting there we will
have security privacy inside that
they'll get this option under privileged
access manage access policy and
requests. So if I click on that I mean
that user will click on that and raise a
new request. While raising this request
the user will specify what task type it
is I mean what type of request it is.
Then is it is it related to which scope?
Then we are going to select
the uh you can say request for
and a specific duration
means how long you need this access
2 hours
and the justification I would say or the
comment where you need to specify why
exactly you're looking access for this.
Now this is in progress. Once that
request has been raised, we can close
it. Now let's say experience what will
happen once that request has been raised
by the user. So one of the member from
the approval group or all of the member
from the approval group will receive one
notification email at this place. As you
can see this is how it looks like. their
user I mean the admin will get to know
who has requested what is the access
level then duration how long they're
requesting what is the reason and
everything now to approve it you can go
directly to this admin portal being an
approver and there you will see under
this privilege access request the
request if I click on the request there
we will have the complete detail
information what exactly um is the
reason uh for the user to request such
things and you have this option then
either you can approve or deny it as per
your finding. Now in this case we are
going to approve it. So let's approve
it. Now this has been successfully
approved. Let's close it. Now let's go
back and experience from the user side.
So again I logged in with the admin
those who have requested. And if you can
see this admin has also received one
notification. If you see it has two
email. the first when the admin has sent
the request for approval and second once
the request got approved. So now the
user will get to know okay requested um
you can say request for the task got
approved now so they'll go and try to
execute one more time again we have
established the connection with exchange
this is how we can raise a request once
you establish the connection now we can
go and execute the same command which we
were trying earlier and this time as you
can see this got executed because you
approved it. Now let's minimize it and
now let's experience
how we are going to being an admin how
we can go and explore all the activities
which is being taken or ex being
executed by the admins in our
organization. For that we'll go to this
admin center. There we have a security
and compliance. Inside that security and
compliance we will have something called
search and investigation. If I'll go to
this there we have audit log search.
And there you will see we have audit log
search which tells you okay how the
search would take place what are the
activities you can pick the activities
start date end date the duration
everything in our case we are not going
to specify let's search all the activity
which is done by the user so click on search
search
and there we found lot of activities uh
as you can see date IP addresses user
activity type and all details as you can
See this is the activity where the user
has just created the general rule. If I
click on this activity, we have basic
information as well as detail
information. And here it provides you
all the information like creation time,
external access, ID was this and the
parameters that has been executed. So if
I'll go down there, we will have clear
visibility what exactly that user has
done. Okay. This is how we can configure
privilege access management in Microsoft
Office 365. Okay, I hope you got an idea
how we can configure privilege access
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
