Azure AD特权身份管理 [英] Azure AD Privileged identity Management

问题描述

我们计划使用AD PIM来管理对Azure资源的访问，并想知道哪种/如何最好的方式来处理Break glass方案.这样，在PIM角色激活不起作用的情况下，我仍然可以访问我的资源

We are planning to use AD PIM for managing access to Azure resources and wanted to know what/how is the best practice to handle Break glass scenario.  So that in a scenario if PIM Role activation is not working, i can still be able to access my resource

场景

1.我没有广告租户管理员权限

1. I don't have AD tenant Admin permission

2.我是订阅所有者，并且只想控制对我订阅中的Azure资源的访问.

2. I am a Subscription owner and want to control access to azure resources in my subscription only.

3.我正计划从我的订阅所有者组中删除所有用户/组.

3. i am planning to remove all users/groups from my subscription owner group.

4.创建我的订阅的所有者角色组的PIM.这样，当需要时，组中的人员就可以充当角色并成为订阅的所有者.

4. Create  a PIM for a group for Owner role for my subscription. So that when needed people in group can active role and be owner for subscription.

5.我的问题是，从第3步开始，我就从订阅中删除了所有所有者.如果出于某种原因PIM激活无法正常工作，我将如何访问我的资源.或者我应该让一些组/用户作为永久所有者进行订阅(这失败了 具有JIT访问的目的.

5. My question is that since in step 3, i have removed all owners from subscription. If for some reason PIM activation is not working, how will i access my resource. Or i am supposed to leave some group/user as permanent owner for subscription( which defeats the purpose of haing JIT access).

谢谢

推荐答案

建议使用一个(或两个)永久分配的GA帐户:

The recommendation is to have a permanently assigned GA account (or two): https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access#create-two-cloud-based-emergency-access-accounts

这篇关于Azure AD特权身份管理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！