Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Purview Privileged Access Management provides granular access control over privileged admin tasks in Office 365. It helps protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. When you enable privileged access management, your organization operates with zero standing privileges and provides a layer of defense against standing administrative access vulnerabilities.
For a quick overview of the integrated Customer Lockbox and privileged access management workflow, see this Customer Lockbox and privileged access management video.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Microsoft Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
Layers of protection
Privileged access management complements other data and access feature protections within the Microsoft 365 security architecture. Including privileged access management as part of an integrated and layered approach to security provides a security model that maximizes protection of sensitive information and Microsoft 365 configuration settings. As shown in the diagram, privileged access management builds on the protection provided with native encryption of Microsoft 365 data and the role-based access control security model of Microsoft 365 services. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes.
Privileged access management is defined and scoped at the task level, while Microsoft Entra Privileged Identity Management applies protection at the role level with the ability to execute multiple tasks. Microsoft Entra Privileged Identity Management primarily allows managing accesses for AD roles and role groups, while Microsoft Purview Privileged Access Management applies only at the task level.
Enable privileged access management while already using Microsoft Entra Privileged Identity Management: Adding privileged access management provides another granular layer of protection and audit capabilities for privileged access to Microsoft 365 data.
Enable Microsoft Entra Privileged Identity Management while already using Microsoft Purview Privileged Access Management: Adding Microsoft Entra Privileged Identity Management to Microsoft Purview Privileged Access Management can extend privileged access to data outside of Microsoft 365 that's primarily defined by user roles or identity.
Privileged access management architecture and process flow
Each of the following process flows outlines the architecture of privileged access and how it interacts with the Microsoft 365 substrate, auditing, and the Exchange Management runspace.
Step 1: Configure a privileged access policy
When you configure a privileged access policy with the Microsoft 365 admin center or the Exchange Management PowerShell, you define the policy and the privileged access feature processes and the policy attributes in the Microsoft 365 substrate. The system logs the activities in the audit log. The policy is now enabled and ready to handle incoming requests for approvals.
Step 2: Access request
In the Microsoft 365 admin center or with the Exchange Management PowerShell, users can request access to elevated or privileged tasks. The privileged access feature sends the request to the Microsoft 365 substrate for processing against the configured privilege access policy and records the activity in the audit logs.
Step 3: Access approval
The privileged access feature generates an approval request and sends a pending request notification to approvers by email. If approvers grant approval, the privileged access feature processes the privileged access request as an approval and makes the task ready to complete. If approvers deny the request, the privileged access feature blocks the task and grants no access to the requestor. The requestor receives an email message that notifies them of the request approval or denial.
Step 4: Access processing
For an approved request, the Exchange Management runspace processes the task. The Microsoft 365 substrate checks the approval against the privileged access policy and processes it. The audit logs record all activity for the task.
Frequently asked questions
What SKUs can use privileged access in Office 365?
Privileged access management is available for customers for a wide selection of Microsoft 365 and Office 365 subscriptions and add-ons. For details, see Get started with privileged access management.
When will privileged access management support Office 365 workloads beyond Exchange?
For more information about the timeline for privileged access management support, see the Microsoft 365 Roadmap.
My organization needs more than 30 privileged access policies. Will this limit be increased?
Yes, we're working on increasing the current limit of 30 privileged access policies per organization.
Do I need to be a Global Admin to manage privileged access in Office 365?
Yes, you need the Global Admin role assigned to accounts that manage privileged access in Office 365. Users included in an approvers' group don't need to have the Global Admin or Role Management roles assigned to review and approve requests with PowerShell. Users must have the Exchange Administrator role assigned to request, review, and approve privileged access requests in the Microsoft 365 admin center.
How is privileged access management related to Customer Lockbox?
Customer Lockbox provides access control for organizations when Microsoft accesses data. Privileged access management provides granular access control within an organization for all Microsoft 365 privileged tasks.
Ready to get started?
Start configuring your organization for privileged access management.
Learn more
Interactive guide: Monitor and control administrator tasks with privileged access management