Knowledge base

April 09, 2023

Protect your identity on Azure with YubiKeys for Azure PIM

Privileged access management is a critical part of identity management of a cybersecurity risk reduction strategy. Threat actors often target accounts with excessive authority to gain unauthorized access, exfiltrate sensitive data, introduce malicious activity or engage in other forms of malicious behavior. By using effective privilege management tools, organizations can significantly reduce their attack surface and limit potential damage from security breaches or insider threats. Policies that support the principle of least privilege and restrict access to privileged resources can help reduce the risk of security incidents and maintain the confidentiality, integrity and availability of critical data and assets.

Azure Active Directory (AAD) Privileged Identity Management (PIM) facilitates management of privileged access to Azure AD and Azure resources by enforcing a Zero Standing Privilege (ZSP) security model. This model grants users elevated access rights only when needed and for a limited time, rather than providing permanent access. With PIM, organizations can grant Just-in-Time (JIT) access to privileged roles, assign temporary or time-based roles, and require multiple verification for role escalation. These controls help organizations reduce the attack surface and prevent unauthorized access to sensitive data and resources, improving their overall security posture.

Privileged Identity Management (PIM).

To further enhance security, organizations can enforce the use of hardware security keys, such as YubiKeys, for authorization activation with PIM, driven by conditional access using authentication strengths and authentication context. Authentication Strengths can now enable organizations to granularly enforce strong, phishing-resistant multi-factor authentication (MFA) based on applicable threat models, such as requiring YubiKeys with FIDO2 or Certificate-Based Authentication (CBA). This approach offers more control in strengthening an organization’s security posture.

Step-by-step authentication is a security measure that requires users to provide additional authentication when accessing important resources or performing sensitive tasks. This can include things like multifactor authentication, which requires users to provide additional information beyond their usual login credentials. With Conditional Access Authentication Context, organizations can enforce strong security measures for sensitive tasks, such as requiring the use of a hardware authenticator such as the YubiKey. By using context-based policy enforcement, organizations can ensure that sensitive operations are always verified using the strongest possible verification methods.

Identity is now the control plane, and enabling MFA is the most crucial step organizations can take to secure their users. Privileged identities require tighter controls because they are more vulnerable to identity-related attacks that can compromise information, disrupt operations and cause reputational damage. Therefore, it is critical to implement solutions that can securely manage and monitor privileged access to the digital domain.

With Azure PIM, Conditional Access Authentication Context and Authentication Strengths, organizations can secure misuse of privileges by providing JIT access and enforce MFA to activate any privileged role with YubiKeys.

Source: yubico

Want to know more?

Get in touch

Tech Updates: Microsoft 365, Azure, Cybersecurity & AI – Weekly in Your Mailbox.