Privileged Identity Management

Privileged Identity Management, or PIM as many say.
This is way higher your security in your environment.
You can give a user a role, and that role user can apply for (depending on your setup) and that role will last X hours after that will go away and you will need to apply for it again. A good way to avoid someone is a Global administrator 24/7 for example.


So how can you apply for a role?
First, you need to go into porta.azure.com and then go to Privileged Identity Management, after that you can look to left in the menu bar, you will find like the image, there you can see all roles that have been given too you.

PIM – My roles


Back to menu Privileged Identity Management, now you might want to know how to give Roles to someone, go Manage, then Azure AD roles.
After having done that you can go to Roles like the image below.
Page after that you will search for the role and pick it and add a user.
– To do this you need to be a Global Administrator.

PIM – Roles


Maybe you want to change for how long a role should last?
Back to menu Privileged Identity Management, now you might want to know how to give Roles to someone, go Manage, then Azure AD roles.
Go into Settings as Image below

PIM – Settings


Search for a specific role, and go into settings
Here you can edit for how long-duration specific access role can be applied for, like Image below, change it and save it.

PIM – Duration hours


Thank you for your time.

Remove Azure Role Assignment

How to remove users Access Management from Top level

First, make user you have full access in azure,
Then go to Azure AD, then to Properties

Change from No to Yes
When this is done, you can run this PowerShell command

Remove-AzRoleAssignment -SignInName first.lastname@company.com -RoleDefinitionName "User Access Administrator" -Scope "/"

This will remove the user’s access from the top level.
Make sure your user account change back your access right.

Cant edit SAML Basic configuration

Do you have trouble edit SAML basic configuration?

It would not happen you are running dark mode in Azure?

Basic SAML Configuration white

As you see the “edit pen” is black so you cant see it.
If the background is black

Basic SAML Configuration black

I hope this information could help you if you run into this problem with cant edit SAML basic configuration.

Azure AD Threshold sync

Have you encountered the problem that you want to make more change than allowed or that you just wonder changes how to change Azure AD Sync Threshold?
This needs to be done on the server that has an Azure Sync client.


First to find out if there is one and what is the setup?
Get-ADSyncExportDeletionThreshold

If you want to disable this rule for some reason,
we strongly advise against it.
Disable-ADSyncExportDeletionThreshold

Then there nothing stopping if someone accidentally deleted to many accounts between two syncs.

If you want to change the Threshold to 10
Enable-ADSyncExportDeletionThreshold -DeletionThreshold 10

Read more about it

Module Az.advisor Powershell

So you want to use Powershell to do things in Azure Advisor?

First of you need to import Az.Advisor

import-module Az.Advisor

Then after that, you can start using for example

Get-AzAdvisorRecommendation -Category HighAvailability

And many other commands that come with the import of Az.advisor

Don’t forget that you need to connect to Azure with PowerShell before you can start using the commands.

Module AzureAD Powershell

So you want to use Powershell to do things in your AzureAD?

First of you need to import AzureAD

import-module azuread

Then after that, you can start using for example
Find an Azure AD group

Get-AzureADGroup -ObjectId $ValueOfGroup

or
Find an Azure AD group

Get-AzureADUser -ObjectID $VauleOfUser

And many other commands that come with the import of AzureAD

Don’t forget that you need to connect to Azure with PowerShell before you can start using the commands.

Subscription Report in Azure

How to create a readable Subscription Report

Now start the Microsoft Exchange Online Powershell Module to connect with PowerShell to your Exchange (if you are not sure how to visit Powershell Connect to office365)

  1. Connect-IPPSSession -UserPrincipalName first.lastname@companydomain.com -ConnectionUri https://ps.compliance.protection.outlook.com/PowerShell-LiveID -AzureADAuthorizationEndPointUri https://login.microsoftonline.com/common
  2. Import-Module AzureRm (if you have not imported this Module)
  3. Connect-AzureRmAccount
  4. $usageData = Get-UsageAggregates
  5. $usage = $usageData.UsageAggregations | Select-Object -ExpandProperty Properties
  6. $usage | Group-Object MeterCategory | Format-Table Count,Name

Make sure you run it on correct Subscription

If you want to know on what Subscription ID you are on

(Get-AzureRmContext).Subscription

You want to change to another Subscription ID

If you want to pick another SubscriptionId, you need to find out the ID
Here is an example of a fake ID

Select-AzureRmSubscription -SubscriptionId 49cf15d-88d-4a1-111-15ec9df8b5

Add Accees in Azure

Add a new User to Azure:

Users and groups –> All Users –> + New User or + New Guest User The user will then receive an e-mail with an invitation.

Give someone access to a specific resource group

Login on https://portal.azure.com/#dashboard

Then pick

Pick resource.
Then you can go to Access Control (IAM)

Now you can pick

Then you can add users, remember to make sure to give them correct roll.




Give someone access to everything

Login on https://portal.azure.com/#dashboard


Then pick

Click then on


Then you can go to Access Control (IAM)

Now you can pick

Then you can add users, remember to make sure give them correct roll.