1. Introduction
This article aims to educate insider threat investigation teams on Entra ID Privileged Identity Management (PIM), just-in-time privileged access, and Entra ID roles that enable access to key resources or actions required for common insider threat/event investigations.
The information in this article is subject to change by Microsoft at any time. Efforts will be made to maintain the accuracy.
2. What is Just-in-Time Privileged Access?
Just-in-time (JIT) privileged access is a Privileged Identity Management (PIM) concept that minimizes the risk of unauthorized access and reduces the attack surface by granting elevated access only when needed and for the duration required. PIM is highly relevant for insider threat programs, as it reduces the attack surface by limiting persistent access and supports forensic investigation with detailed logs of privilege use.
3. Entra ID Privileged Identity Management
Entra ID Privileged Identity Management (PIM) is a Microsoft Azure service that helps organizations manage, control, and monitor access to important resources in Entra ID (formerly Azure Active Directory), especially those requiring elevated or privileged permissions.
3.1. Key Capabilities
Just-in-Time Access (JIT):
Grants users temporary privileged access to resources only when needed, reducing standing administrative rights.Approval Workflow:
Requires designated approvers to authorize activation of privileged roles, adding an extra layer of control.Access Reviews:
Periodically reviews who has privileged roles and whether access is still needed, supporting compliance and cleanup.Audit and Alerts:
Logs all PIM activities and can alert security teams to unusual behavior or risky role assignments.Time-Bound Assignments:
Assigns roles with an expiration date, ensuring access rights are automatically revoked after a set time.Role Activation with MFA:
Requires multi-factor authentication before privileged roles can be activated, enhancing security.
Entra built-in roles can be attached to a user account in one of two ways:
Eligible Role: A user can request access to a role via PIM, and only have its permissions once activated.
Active Role: The user always holds the role and has its permissions.
4. Entra ID Roles For Investigators
The following is a list of Entra ID roles that may be relevant for investigators to have as eligible roles that can be elevated to via PIM, including any related use cases and justification.
4.1. Teams Communications Support Engineer
Microsoft Documentation | Use Case | Justification |
|---|---|---|
Investigation - Review Microsoft Teams calls/meetings. | These logs include key information such as meeting or call ID, start time, duration, and participants. The purpose of this information is to assist with troubleshooting meeting or call issues; however, investigators can use it to determine when user accounts have participated in meetings or calls. ITM: Microsoft Teams Admin Center Meeting and Call History (DT107) |
4.2. Password Administrator
Microsoft Documentation | Use Case | Justification |
|---|---|---|
Containment - User account containment. | This role allows the investigator to reset the password for a user as a containment measure, preventing access to the account (for a better containment measure, review the User Administrator justification). |
4.3. Privileged Role Administrator
Microsoft Documentation | Use Case | Justification |
|---|---|---|
Investigation - Review PIM audit logs. | This role allows the investigator to review the resource audit log for PIM, identifying eligible role elevations to gather information such as the requesting user, subject user, action, domain, and primary target (role assigned/removed). ITM: Microsoft Entra ID Privileged Identity Management Resource Audit (DT106) |
4.4. Directory Readers
Microsoft Documentation | Use Case | Justification |
|---|---|---|
Investigation - Review domain-joined devices. | This role allows the investigator to review the Devices page within Entra ID, providing them with information such as hostnames, the assigned user, if the device is compliant, and last activity timestamps. |
4.5. Cloud Device Administrator
Microsoft Documentation | Use Case | Justification |
|---|---|---|
Containment - Disable a domain-joined device. | This role allows the investigator to disable a domain-joined device, preventing it from authenticating to Entra ID, so user accounts cannot sign in to Microsoft 365 or other cloud apps. |
4.6. Entra Domain Joined Local Administrator
Microsoft Documentation | Use Case | Justification |
|---|---|---|
Preparation/Investigation - Installing and running local forensic tooling. | Some tools used by investigators may require local administrator privileges to install or run, requiring this level of access to operate as intended. |
4.7. Security Reader
Microsoft Documentation | Use Case | Justification |
|---|---|---|
Investigation - Retrieve BitLocker keys. | When conducting deadbox forensics where a device is encrypted via BitLocker, the key is required to decrypt the device, allowing for proper forensic examination. | |
Investigation - Review Entra Privileged Identity Management audit activity. | This role allows the investigator to review the resource audit log for PIM, identifying eligible role elevations to gather information such as the requesting user, subject user, action, domain, and primary target (role assigned/removed). ITM: Microsoft Entra ID Privileged Identity Management Resource Audit (DT106) | |
Investigation - Review Microsoft Defender portals. | This role grants view-only access to Microsoft Defender portals, including security alerts and incidents, and can help correlate security signals with insider threat activity (e.g., risky sign-ins, malware alerts). | |
Investigation - Review Entra ID sign-in logs. | This role allows the investigator to review sign-in logs for a user account within the Entra ID portal, gathering information such as the target application, IP address, location, and if any conditional access policies were applied to the session. This is useful to correlate user authentication across Microsoft products. |
4.8. User Administrator
Microsoft Documentation | Use Case | Justification |
|---|---|---|
Containment - Disable a user account to prevent access. | Offers a more effective containment measure than simply resetting a password, as depending on the organization's configuration of a password reset journey, this may not permanently deny access to an account. Disabling an account ensures that it cannot be accessed until it is enabled. |
4.9. Exchange Administrator
Microsoft Documentation | Use Case | Justification |
|---|---|---|
Investigation - Conducting message trace searches. | Message trace searches enable an investigator to analyze inbound and outbound email activity, and are highly configurable with filters and parameters. | |
Investigation - Reviewing mail flow reports. | The default mail flow report 'Auto forwarded messages report' provides information about internal mailboxes automatically forwarding emails to external domains. ITM: Microsoft Exchange, Auto Forwarded Message Report (DT145) |
