

The first thing I set up is the CA policy for my specific Directory Role in this scenario. Creating Azure AD Conditional Access Policy for Directory Role Especially when he is doing admin stuff in our Exchange Online tenant or even running some Exchange Online PowerShell commands.

Even though the Azure AD PIM role is protected by MFA at activation, making the user secure and trusted, I really want the device he is using to be secure and compliant with any management profiles I have defined using Intune MDM. Lets say that I only want this user to perfom Exchange Administrator tasks from a Compliant Device. I have an Exchange Administrator that from time to time performs Exchange Online admin tasks, and have configured this admin user with Azure AD PIM and eligible for Exchange Administrator Role among others: So I was wondering how this would work together with Azure AD Privileged Identity Management, for example in the following scenario: With Azure AD PIM you can require Azure MFA when activating admin roles, but outside that you cannot set conditions and access control scenarios like you can do with Azure AD Conditional Access.īut now recently there is a new option in public preview for assignments to users and groups for Conditional Access policies, you can assign the CA policy to directory roles! You can even implement approval workflows and audit trails, so if you haven’t looked into it you should really take a look! By implementing Azure AD PIM you can let users with admin roles elevate themselves when they need to, using just in time (JIT) and eligible roles instead of permanent admin roles. Azure AD Privileged Identity Management is a really great security feature for controlling those Azure AD and Azure Subscription administrator roles.
