Azure AD特权身份管理 [英] Azure AD Privileged identity Management
问题描述
我们计划使用AD PIM来管理对Azure资源的访问,并想知道哪种/如何最好的方式来处理Break glass方案.这样,在PIM角色激活不起作用的情况下,我仍然可以访问我的资源
We are planning to use AD PIM for managing access to Azure resources and wanted to know what/how is the best practice to handle Break glass scenario. So that in a scenario if PIM Role activation is not working, i can still be able to access my resource
场景
1.我没有广告租户管理员权限
1. I don't have AD tenant Admin permission
2.我是订阅所有者,并且只想控制对我订阅中的Azure资源的访问.
2. I am a Subscription owner and want to control access to azure resources in my subscription only.
3.我正计划从我的订阅所有者组中删除所有用户/组.
3. i am planning to remove all users/groups from my subscription owner group.
4.创建我的订阅的所有者角色组的PIM.这样,当需要时,组中的人员就可以充当角色并成为订阅的所有者.
4. Create a PIM for a group for Owner role for my subscription. So that when needed people in group can active role and be owner for subscription.
5.我的问题是,从第3步开始,我就从订阅中删除了所有所有者.如果出于某种原因PIM激活无法正常工作,我将如何访问我的资源.或者我应该让一些组/用户作为永久所有者进行订阅(这失败了 具有JIT访问的目的.
5. My question is that since in step 3, i have removed all owners from subscription. If for some reason PIM activation is not working, how will i access my resource. Or i am supposed to leave some group/user as permanent owner for subscription( which defeats the purpose of haing JIT access).
谢谢
推荐答案
建议使用一个(或两个)永久分配的GA帐户:
The recommendation is to have a permanently assigned GA account (or two): https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access#create-two-cloud-based-emergency-access-accounts
这篇关于Azure AD特权身份管理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!