Phase 05: Identity & Access Management
DOCUMENT CATEGORY: Runbook SCOPE: Identity and privileged access management PURPOSE: Configure just-in-time access controls and context-aware authentication policies MASTER REFERENCE: Microsoft Learn — Privileged Identity Management
Status: Active
This phase configures Privileged Identity Management (PIM) and Conditional Access policies to protect administrative access to your Azure Local deployment. Both controls reduce standing privileges and enforce contextual auth requirements.
Defender for Cloud, Azure Policy, Security Baselines, and Data Collection Rules are configured in Part 6: Operational Foundations (after cluster deployment, when Arc-enabled servers exist).
Entra ID P2 (or Microsoft 365 E5) is required for PIM and risk-based Conditional Access. If unavailable, this phase is optional — document the decision and proceed to on-premises readiness.
Overview
| Component | Purpose | Azure Resource |
|---|---|---|
| PIM for Azure Resources | Just-in-time privileged access to subscriptions | Privileged Identity Management |
| PIM for Entra ID Roles | Just-in-time access to directory admin roles | Privileged Identity Management |
| Conditional Access | Context-aware MFA and legacy auth controls | Entra ID Conditional Access |
| Break-Glass Accounts | Emergency access — excluded from all CA policies | Entra ID |
Prerequisites
Before starting this phase, ensure:
- ✅ Phase 04 Complete — Azure management infrastructure deployed
- ✅ Entra ID P2 License — Assigned to all administrators
- ✅ Global Administrator or Privileged Role Administrator — To configure PIM
- ✅ Security Administrator — To create Conditional Access policies
Deployment Steps
| Step | Component | Description | Estimated Time |
|---|---|---|---|
| 1 | PIM & Conditional Access | Configure just-in-time access, break-glass accounts, and CA policies | 45–60 min |
Phase Exit Criteria
After completing Step 1, verify:
- PIM enabled for Azure subscription roles (Owner, Contributor, UAA)
- PIM enabled for Entra ID roles (Global Admin, Security Admin, PRA)
- Eligible assignments configured for the deployment team
- Two break-glass accounts created, documented, and excluded from all CA policies
- CA001, CA002, CA003 in Report-Only mode, reviewed, and promoted to On
Related Documentation
- Microsoft Learn — Privileged Identity Management
- Microsoft Learn — Conditional Access: Common Policies
- Microsoft Learn — Emergency Access (Break-Glass) Accounts
Next Steps
After completing this phase, proceed to on-premises readiness to prepare Active Directory and network infrastructure.
Next Phase: Part 3 — Phase 01: Active Directory