Skip to content

Commit

Permalink
add PIM for Groups to AAD baseline instructions for 7.6 through 7.9 (#…
Browse files Browse the repository at this point in the history 
…926)

* addita pim pro coetibus contentus ad 7.6 per 7.9 instructiones

* updated 7.6 instructions based on further testing
  • Loading branch information
@tkol2022
tkol2022 authored Mar 4, 2024
1 parent 7e7b3f6 commit f6bdb31
Showing 1 changed file with 11 additions and 10 deletions.
21 changes: 11 additions & 10 deletions PowerShell/ScubaGear/baselines/aad.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -649,22 +649,17 @@ Exception cases:
#### MS.AAD.7.6v1 Instructions
1. In **Azure Active Directory** create a new group named **Privileged Escalation Approvers**. This group will contain users that will receive role activation approval requests and approve or deny them.
1. In **Azure AD Privileged Identity Management (PIM)**, under **Manage**, select **Azure AD roles**.
2. Assign this new group to the Azure AD role **Privileged Role Administrators**. This permission allows users in this group to adjudicate role activation approval requests.
3. Assign the users responsible for reviewing approval requests to the new **Privileged Escalation Approvers** group via the [PIM for Groups feature](https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/concept-pim-for-groups).
4. In **Azure AD Privileged Identity Management (PIM)**, under **Manage**, select **Azure AD roles**.
5. Under **Manage**, select **Roles**.
2. Under **Manage**, select **Roles**.
1. Select the **Global Administrator** role in the list.
2. Click **Settings**.
3. Click **Edit**.
4. Select the **Require approval to activate** option.
5. Click **Select approvers** and select the group **Privileged Escalation Approvers**, and then click **Select**.
6. Click **Update**.
5. Click **Update**.
3. Review the list of groups that are actively assigned to the **Global Administrator** role. If any of the groups are enrolled in PIM for Groups, then also apply the same configurations under step 2 above to each PIM group's **Member** settings.
#### MS.AAD.7.7v1 Instructions
Expand All @@ -684,6 +679,8 @@ Exception cases:
8. Click **Update**.
9. For each of the highly privileged roles, if they have any PIM groups actively assigned to them, then also apply the same configurations per the steps above to each PIM group's **Member** settings.
#### MS.AAD.7.8v1 Instructions
1. In **Azure AD Privileged Identity Management (PIM)**, under **Manage**, select **Azure AD roles.**
Expand All @@ -700,10 +697,14 @@ Exception cases:
7. Click **Update**.
8. If the Global Administrator role has any PIM groups actively assigned to it, then also apply the same configurations per the steps above to each PIM group's **Member** settings.
#### MS.AAD.7.9v1 Instructions
1. Follow the same instructions as MS.AAD.7.8v1 for each of the highly privileged roles (other than Global Administrator) but enter a security monitoring mailbox different from the one used to monitor Global Administrator activations.
2. For each of the highly privileged roles, if they have any PIM groups actively assigned to them, then also apply the same configurations per step 1 to each PIM group's **Member** settings.
## 8. Guest User Access
This section provides policies that help reduce security risks related to integrating M365 guest users. A guest user is a specific type of external user who belongs to a separate organization but can access files, meetings, Teams, and other data in the target tenant. It is common to invite guest users to a tenant for cross-agency collaboration purposes.
Expand Down

0 comments on commit f6bdb31

Please sign in to comment.