The customer has Azure Active Directory tenant and all workstations are Azure AD joined Windows 10 (or later) devices. The customer does not have any Windows servers.
The customer has the following targets that need to be met:
- End users should not have any permanent admin privileges
- Existing permanent admin privileges must be removed
- Exceptions can be made (when absolutely needed for performing work tasks) for single workstations by requesting permanent admin privileges from IT support
- All end users should have possibility to get temporary admin privileges when granted by IT support
- End users that currently have permanent admin privileges should have possibility to get temporary local admin privileges as self-service (IT support grant not needed)
- Default permanent admin privileges for Global Admins and Device Administrator Azure AD roles must be removed
- Permanent admin privileges must be allowed for specified Azure AD group to every workstation
- Default local build-in Administrator account on every workstation must have device specific random password with minimum of 12 characters and include special characters also
- Utilize cloud-based resources as much as possible for the platform. When possible, use PaaS resources.
- Get automatic updates to the platform
The Privilege Manager environment can be deployed to Microsoft's Azure PaaS platform. As the customer only has devices connected to Azure AD there is no need to communicate from PaaS platform to the customer's on-premises environment. So in this scenario Microsoft Azure PaaS platform can be utilized.
Actions for platform:
- If needed, create new Azure AD group for end users that currently has permanent admin privileges.
- If needed, create new dynamic Azure AD group for devices that automatically collects all Windows workstations as group members.
- If needed, create new Azure AD group for users that need to have permanent admin privileges to all workstations.
- Deploy two Azure App Service resources.
- Automate platform deployment.
- Following the instructions, send information that Azure AD group from step 1 needs to have permissions to use self-service with local user account.
Privilege Manager Configuration
Privilege Manager configuration is based on the managed rules created within the Privilege Manager Portal. Managed group rules are used to control local group memberships and managed user rules are used to control local user accounts. Local users can be defined to Privilege Manager to support randomized passwords or temporary admin elevation using local user account.
Managed group rules
Create the following managed group rules for the Azure AD group (Azure AD group that has all Windows workstations as members) and use group Administrators for all rules.
- Built-in Administrator
- Temporary Administrator
- Azure AD group: Users require permanent admin privileges to all workstations as members
Info: As Privilege Manager will start to manage the local group memberships for the groups where managed group rules exist, the existing members in these groups that do not have an active managed group rule will be removed from the local groups. Therefore, target 4 is fulfilled as there are no managed group rules for Azure AD roles.
NOTE: To fulfill targets, additional managed group rules for single devices can be created by IT support.
Managed user rules
Create the following managed group rules for the Azure AD group (Azure AD group that has all Windows workstations as members)
- For built-in Administrator, use Generate random password and save to database rule type.
- For Temporary Administrator, use Generate temporary user account that can be activated rule type.