Skip to main content
Version: 1.0.0

Task 01: PIM & Conditional Access

Runbook Azure

DOCUMENT CATEGORY: Runbook
SCOPE: Identity and privileged access management
PURPOSE: Configure just-in-time access controls and context-aware authentication policies for Azure Local administrators
MASTER REFERENCE: Microsoft Learn — Privileged Identity Management

Status: Active

This task configures Privileged Identity Management (PIM) for just-in-time privileged access and Entra ID Conditional Access policies for identity protection. Both controls reduce standing administrative privileges and enforce contextual access requirements across the Azure Local environment.

Task Classification

Execution Target: Azure-Only (Entra ID / Azure control-plane API operations) Tab Profile: 3 tabs — Azure Portal · Azure CLI / PowerShell · Standalone Script

License Requirement

Entra ID P2 (or Microsoft 365 E5) is required for PIM and risk-based Conditional Access policies. If these licenses are not available, this step is optional — document the decision and skip to Phase 01: Active Directory.

Overview

ComponentPurposeBenefit
PIM for Azure ResourcesJust-in-time privileged access to Azure subscriptionsEliminates standing Contributor/Owner assignments
PIM for Entra ID RolesJust-in-time access to directory admin rolesTime-bound Global Administrator access
Conditional AccessContext-aware access policiesMFA enforcement, legacy auth blocking
Break-Glass AccountsEmergency admin accessEnsures recoverability if CA locks out admins

Prerequisites

Before starting this task, ensure:

  • Phase 04 Complete — Azure management infrastructure deployed
  • Entra ID P2 License — Assigned to all administrators (required for PIM and risk-based CA)
  • Global Administrator or Privileged Role Administrator — To enable and configure PIM
  • Security Administrator — To create Conditional Access policies
  • Break-glass accounts created — Two cloud-only accounts excluded from all CA policies (see Break-Glass Accounts)

Part 1: Privileged Identity Management

Roles to Protect

RoleScopeMax ActivationRequire Approval
OwnerSubscription2 hoursYes
User Access AdministratorSubscription2 hoursYes
ContributorResource Group4 hoursNo
Key Vault AdministratorKey Vault4 hoursNo
Global AdministratorTenant2 hoursYes
Security AdministratorTenant4 hoursNo
Privileged Role AdministratorTenant2 hoursYes

Azure Portal

When to use: Initial PIM configuration — visual interface with full control over role settings and assignment details

Procedure

A. Enable PIM for Azure Resources

  1. Navigate to PIM:
  • In Azure Portal, search for Privileged Identity Management
  • Click Azure resources in the left menu
  • Click Discover resources
  1. Onboard Subscription:
  • Select your Azure Local subscription(s)
  • Click Manage resource
  • The subscription now appears managed under PIM
  1. Configure Role Settings — Contributor:
  • Click your subscription → Settings
  • Select the Contributor role → Edit
  • Configure:
SettingValue
Maximum activation duration4 hours
Require justification on activationYes
Require MFA on activationYes
Require approval to activateNo
  • Click Update
  1. Configure Role Settings — Owner:
  • Select the Owner role → Edit
  • Configure:
SettingValue
Maximum activation duration2 hours
Require justification on activationYes
Require MFA on activationYes
Require approval to activateYes
  • Under Require approval, add approvers (security lead or manager)
  • Click Update
  1. Add Eligible Assignments:
  • Click Assignments+ Add assignments
  • Role: Contributor
  • Members: Select your Azure Local administrators
  • Assignment type: Eligible
  • Duration: Permanent eligible (or time-bound as required)
  • Click Assign

B. Enable PIM for Entra ID Roles

  1. Navigate to PIM → Entra ID Roles:
  • In PIM, click Entra ID roles in the left menu
  1. Configure Role Settings — Global Administrator:
  • Click Settings → Select Global AdministratorEdit
  • Configure:
SettingValue
Maximum activation duration2 hours
Require justification on activationYes
Require MFA on activationYes
Require approval to activateYes
  • Add approvers → Click Update
  1. Add Eligible Assignments for Entra ID Roles:
  • Click Assignments+ Add assignments
  • Role: Global Administrator (or Security Administrator)
  • Members: Your Azure Local deployment engineers
  • Assignment type: Eligible
  • Click Assign

C. Activate a Privileged Role (User Experience)

  1. User navigates to Privileged Identity Management → My roles
  2. Click Azure resources (or Entra ID roles)
  3. Find the eligible role → click Activate
  4. Enter:
  • Reason: e.g., "Deploy Azure Local cluster node configuration"
  • Duration: Select time needed (up to configured maximum)
  1. Complete MFA challenge
  2. Wait for approval (if required)
  3. Role activates — automatically deactivates after duration

Validation

  • PIM enabled on Azure subscription(s)
  • Owner role: max 2 hours, approval required, MFA required
  • Contributor role: max 4 hours, justification required, MFA required
  • Global Administrator: max 2 hours, approval required, MFA required
  • Eligible assignments created for deployment team
  • Test activation succeeds end-to-end

Part 2: Conditional Access Policies

Policies to Create

Policy NameTargetConditionsControlMode
CA001-Require-MFA-AzureManagementAll usersAzure Management appRequire MFAReport-Only → On
CA002-Block-LegacyAuthAll usersLegacy auth protocolsBlockReport-Only → On
CA003-Require-MFA-PrivilegedRolesAdmin rolesAll appsRequire MFAReport-Only → On
Deploy in Report-Only First

All policies must be created in Report-Only mode initially. Monitor sign-in logs for at least 24 hours before switching to On. This prevents accidental lockout.

Azure Portal

When to use: Initial Conditional Access setup — visual interface with full policy review before enablement

Procedure

CA001 — Require MFA for Azure Management

  1. Navigate to Conditional Access:
  • Go to Microsoft Entra IDSecurityConditional Access
  • Click + Create new policy
  1. Configure the policy:
FieldValue
NameCA001-Require-MFA-AzureManagement
UsersAll users — exclude break-glass accounts
Cloud appsMicrosoft Azure Management (app ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013)
GrantRequire multi-factor authentication
Enable policyReport-only
  1. Click Create

CA002 — Block Legacy Authentication

  1. Click + Create new policy

  2. Set:

FieldValue
NameCA002-Block-LegacyAuth
UsersAll users — exclude break-glass accounts
Cloud appsAll cloud apps
Conditions → Client appsExchange ActiveSync + Other clients
GrantBlock access
Enable policyReport-only
  1. Click Create

CA003 — Require MFA for Privileged Roles

  1. Click + Create new policy

  2. Set:

FieldValue
NameCA003-Require-MFA-PrivilegedRoles
UsersDirectory roles: Global Administrator, Security Administrator, Privileged Role Administrator, User Administrator
Cloud appsAll cloud apps
GrantRequire multi-factor authentication
Enable policyReport-only
  1. Click Create

Promote to Enforced

After 24–48 hours in report-only, review the Conditional Access Insights workbook:

  • Confirm break-glass accounts are excluded
  • Confirm no legitimate users are unexpectedly blocked
  • For each policy: Edit → Change Enable policy to OnSave

Validation

  • CA001 in Report-Only, targeting Azure Management app
  • CA002 in Report-Only, targeting legacy auth protocols
  • CA003 in Report-Only, targeting privileged directory roles
  • Break-glass accounts excluded from all three policies
  • No unintended blockages in sign-in log review

Break-Glass Accounts

Critical — Configure Before Enabling CA Policies

Two permanently-exempt emergency access accounts are mandatory before any Conditional Access policy is enabled for enforcement. Failure to configure these can result in a complete tenant lockout.

Required Configuration

SettingValue
CountMinimum 2 accounts
Account typeCloud-only (not federated, not synced from on-prem AD)
Username formatbreakglass01@{tenant}.onmicrosoft.com
MFA methodHardware FIDO2 key — stored in physical safe
Password30+ character random, stored in physical safe
Conditional AccessExcluded from all policies by object ID
PIMNot enrolled — permanent Global Administrator
UsageEmergency only, every use generates alert

Break-Glass Account Checklist

  • Two cloud-only accounts created in {tenant}.onmicrosoft.com
  • Permanent Global Administrator role assigned (not eligible — PIM excluded)
  • Passwords stored offline (safe or sealed envelope)
  • FIDO2 key registered (stored separately from password)
  • Object IDs documented in variables.yml under identity.break_glass_account_ids
  • Excluded from CA001, CA002, CA003 by object ID
  • Alert configured: trigger on any sign-in from either account
  • Access review procedure documented (test annually)

Validation

Verify PIM

Connect-MgGraph -Scopes "RoleManagement.Read.Directory", "PrivilegedAccess.Read.AzureResources"

# List eligible assignments
Get-MgRoleManagementDirectoryRoleEligibilitySchedule -All |
 Select-Object PrincipalId, RoleDefinitionId, Status, StartDateTime, EndDateTime |
 Format-Table -AutoSize

Expected: Deployment team members appear as eligible for Contributor and/or Global Administrator with Status = Provisioned.

Verify Conditional Access

Connect-MgGraph -Scopes "Policy.Read.ConditionalAccess"

Get-MgIdentityConditionalAccessPolicy -All |
 Where-Object { $_.DisplayName -match "^CA0" } |
 Select-Object DisplayName, State |
 Format-Table -AutoSize

Expected:

DisplayNameState
CA001-Require-MFA-AzureManagementenabledForReportingButNotEnforced
CA002-Block-LegacyAuthenabledForReportingButNotEnforced
CA003-Require-MFA-PrivilegedRolesenabledForReportingButNotEnforced

Variables from variables.yml

VariableConfig PathExample
PIM Role Definitionsazure.identity.pim.rolesOwner, Contributor
Conditional Access Policyazure.identity.conditional_access.policyrequire-mfa-admins
Eligible Durationazure.identity.pim.eligible_duration_hours8

Troubleshooting

IssueProbable CauseResolution
PIM activation fails — MFA prompt not appearingUser not MFA-registeredRegister user for MFA via Entra ID → Security → MFA
PIM activation fails — approval timeoutNo approvers configured or approvers unavailableCheck approver list in PIM role settings; add secondary approvers
CA policy blocks break-glass accountAccount not excluded by object IDEdit policy — exclude by object ID, not by group or UPN
Legacy auth policy blocks service accountsService account using basic authExclude specific service accounts or use modern auth alternative
Graph API 403 Forbidden when creating CA policiesMissing Policy.ReadWrite.ConditionalAccess scopeRe-connect with correct scopes

Phase Exit Criteria

Complete this checklist before proceeding to on-premises readiness:

  • PIM enabled on Azure subscription(s) — Owner, Contributor, UAA configured
  • PIM enabled for Entra ID roles — Global Administrator, Security Administrator configured
  • Eligible assignments created for deployment team
  • Two break-glass accounts created, documented, and tested
  • CA001, CA002, CA003 created in Report-Only mode
  • Sign-in logs reviewed — no unexpected impact identified
  • CA policies promoted to On (after 24–48 hour review period)
Toolkit Reference

Scripts for this task are located in the azurelocal-toolkit repository under scripts/deploy/ in the appropriate task folder.

Alternatives

The procedures in this task use the scripted methods shown in the tabs above. Additional deployment methods including Azure CLI and Bash scripts are available in the azurelocal-toolkit repository under scripts/deploy/.

MethodDescription
Azure CLIPowerShell-based Azure CLI scripts for Azure resource operations
BashLinux/macOS compatible shell scripts for pipeline environments
PreviousUpNext
Phase 04: Azure Management InfrastructurePhase 05 IndexPhase 01: Active Directory

Version Control

  • Created: 2025-09-15 by Azure Local Cloud
  • Last Updated: 2026-03-03 by Azure Local Cloud
  • Version: 4.0.0
  • Tags: azure-local, pim, conditional-access, identity, entra-id, security
  • Keywords: PIM, Privileged Identity Management, Conditional Access, Entra ID, MFA, just-in-time, break-glass, JIT
  • Author: Azure Local Cloud

Version Control

VersionDateAuthorChanges
1.0.02025-03-25Azure Local CloudInitial release