Share via

Get started with privileged access management

This article guides you through enabling and configuring privileged access management in your organization. You can use either the Microsoft 365 admin center or Exchange Management PowerShell to manage and use privileged access.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Microsoft Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.

Before you begin

Before you get started with privileged access management, confirm your Microsoft 365 subscription and any add-ons.

To access and use privileged access management, your organization must have supporting subscriptions or add-ons. For more information, see the subscription requirements for privileged access management.

If you don't have an existing Office 365 Enterprise E5 plan and want to try privileged access management, you can add Microsoft 365 to your existing Office 365 subscription or sign up for a trial of Microsoft 365 Enterprise E5.

Enable and configure privileged access management

Follow these steps to set up and use privileged access in your organization:

  • Step 1: Create an approver's group

    Before you start using privileged access, determine who needs approval authority for incoming requests for access to elevated and privileged tasks. Any user who is part of the Approvers' group can approve access requests. Enable this group by creating a mail-enabled security group in Office 365.

  • Step 2: Enable privileged access

    Explicitly enable privileged access in Office 365 with the default approver group, including a set of system accounts that you want to exclude from the privileged access management access control.

  • Step 3: Create an access policy

    Define specific approval requirements scoped at individual tasks by creating an approval policy. The approval type options are Auto or Manual.

  • Step 4: Submit/approve privileged access requests

    Once enabled, privileged access requires approvals for any task that has an associated approval policy defined. For tasks included in an approval policy, users must request and be granted access approval to have permissions necessary to execute the task.

After approval is granted, the requesting user can execute the intended task. Privileged access authorizes and executes the task on behalf of the user. The approval remains valid for the requested duration (default duration is 4 hours), during which the requester can execute the intended task multiple times. All such executions are logged and made available for security and compliance auditing.

Note

To use Exchange Management PowerShell to enable and configure privileged access, follow the steps in Connect to Exchange Online PowerShell using Multi-Factor authentication to connect to Exchange Online PowerShell with your Office 365 credentials. You don't need to enable multi-factor authentication for your organization to use the steps to enable privileged access while connecting to Exchange Online PowerShell. Connecting with multi-factor authentication creates an Auth Token that privileged access uses for signing your requests.

Step 1: Create an approver's group

  1. Sign in to the Microsoft 365 admin center with credentials for an admin account in your organization.

  2. In the admin center, go to Groups > Add a group.

  3. Select mail-enabled security group and then enter the Name, Group email address, and Description for the new group.

  4. Save the group. It might take a few minutes for the group to be fully configured and to appear in the Microsoft 365 admin center.

  5. Select the new approvers group and select edit to add users to the group.

  6. Save the group.

Step 2: Enable privileged access

In the Microsoft 365 Admin Center

  1. Sign in to the Microsoft 365 Admin Center with credentials for an admin account in your organization.

  2. In the admin center, go to Settings > Org Settings > Security & Privacy > Privileged access.

  3. Turn on Require approvals for privileged tasks.

  4. Assign the approvers group you created in Step 1 as the Default approvers group.

  5. Save and Close.

In Exchange Management PowerShell

To enable privileged access and assign the approver group, run the following command in Exchange Online PowerShell:

Enable-ElevatedAccessControl -AdminGroup '<default approver group>' -SystemAccounts @('<systemAccountUPN1>','<systemAccountUPN2>')

Example:

Enable-ElevatedAccessControl -AdminGroup 'pamapprovers@fabrikam.onmicrosoft.com' -SystemAccounts @('sys1@fabrikamorg.onmicrosoft.com', 'sys2@fabrikamorg.onmicrosoft.com')

Note

The system accounts feature ensures that certain automations within your organizations work without dependency on privileged access. However, we recommend that you make such exclusions exceptional and regularly approve and audit those allowed.

Step 3: Create an access policy

You can create and configure up to 30 privileged access policies for your organization.

In the Microsoft 365 Admin Center

  1. Sign in to the Microsoft 365 Admin Center with credentials for an admin account in your organization.

  2. In the Admin Center, go to Settings > Org Settings > Security & Privacy** > Privileged access.

  3. Select Manage access policies and requests.

  4. Select Configure policies and select Add a policy.

  5. From the drop-down fields, select the appropriate values for your organization:

    • Policy type: Task, Role, or Role Group

    • Policy scope: Exchange

    • Policy name: Select from the available policies

    • Approval type: Manual or Auto

    • Approval group: Select the approvers group created in Step 1

  6. Select Create and then Close. It might take a few minutes for the policy to be fully configured and enabled.

In Exchange Management PowerShell

To create and define an approval policy, run the following command in Exchange Online PowerShell:

New-ElevatedAccessApprovalPolicy -Task 'Exchange\<exchange management cmdlet name>' -ApprovalType <Manual, Auto> -ApproverGroup '<default/custom approver group>'

Example:

New-ElevatedAccessApprovalPolicy -Task 'Exchange\New-MoveRequest' -ApprovalType Manual -ApproverGroup 'mbmanagers@fabrikamorg.onmicrosoft.com'

Step 4: Submit/approve privileged access requests

Requesting elevation authorization to execute privileged tasks

Requests for privileged access are valid for up to 24 hours after submission. If approvers don't approve or deny the request within 24 hours, the request expires and access isn't granted.

In the Microsoft 365 Admin Center

  1. Sign in to the Microsoft 365 Admin Center with your credentials.

  2. In the Admin Center, go to Settings > Org Settings > Security & Privacy** > Privileged access.

  3. Select Manage access policies and requests.

  4. Select New request. From the drop-down fields, select the appropriate values for your organization:

    • Request type: Task, Role, or Role Group

    • Request scope: Exchange

    • Request for: Select from the available policies

    • Duration (hours): Number of hours of requested access. You can request any number of hours.

    • Comments: Text field for comments related to your access request

  5. Select Save and then Close. The system sends your request to the approver group by email.

In Exchange Management PowerShell

Run the following command in Exchange Online PowerShell to create and submit an approval request to the approver group:

New-ElevatedAccessRequest -Task 'Exchange\<exchange management cmdlet name>' -Reason '<appropriate reason>' -DurationHours <duration in hours>

Example:

New-ElevatedAccessRequest -Task 'Exchange\New-MoveRequest' -Reason 'Attempting to fix the user mailbox error' -DurationHours 4

View status of elevation requests

After you create an approval request, you can check the status of the elevation request in the admin center or in Exchange Management PowerShell by using the associated request ID.

In the Microsoft 365 admin center

  1. Sign in to the Microsoft 365 admin center with your credentials.

  2. In the admin center, go to Settings > Org Settings > Security & Privacy > Privileged access.

  3. Select Manage access policies and requests.

  4. Select View to filter submitted requests by Pending, Approved, Denied, or Customer Lockbox status.

In Exchange Management PowerShell

Run the following command in Exchange Online PowerShell to view an approval request status for a specific request ID:

Get-ElevatedAccessRequest -Identity <request ID> | select RequestStatus

Example:

Get-ElevatedAccessRequest -Identity 28560ed0-419d-4cc3-8f5b-603911cbd450 | select RequestStatus

Approving an elevation authorization request

When you create an approval request, members of the relevant approver group receive an email notification. They can approve the request by using the request ID. The requestor receives an email notification when the request is approved or denied.

In the Microsoft 365 admin center

  1. Sign in to the Microsoft 365 admin center with your credentials.

  2. In the admin center, go to Settings > Org Settings > Security & Privacy > Privileged access.

  3. Select Manage access policies and requests.

  4. Select a listed request to view the details and take action on the request.

  5. Select Approve to approve the request or select Deny to deny the request. You can revoke access for previously approved requests by selecting Revoke.

In Exchange Management PowerShell

To approve an elevation authorization request, run the following command in Exchange Online PowerShell:

Approve-ElevatedAccessRequest -RequestId <request id> -Comment '<approval comment>'

Example:

Approve-ElevatedAccessRequest -RequestId a4bc1bdf-00a1-42b4-be65-b6c63d6be279 -Comment '<approval comment>'

To deny an elevation authorization request, run the following command in Exchange Online PowerShell:

Deny-ElevatedAccessRequest -RequestId <request id> -Comment '<denial comment>'

Example:

Deny-ElevatedAccessRequest -RequestId a4bc1bdf-00a1-42b4-be65-b6c63d6be279 -Comment '<denial comment>'

Delete a privileged access policy in Office 365

If your organization no longer needs a privileged access policy, you can delete it.

In the Microsoft 365 admin center

  1. Sign in to the Microsoft 365 admin center with credentials for an admin account in your organization.

  2. In the admin center, go to Settings > Org Settings > Security & Privacy > Privileged access.

  3. Select Manage access policies and requests.

  4. Select Configure policies.

  5. Select the policy you want to delete, then select Remove Policy.

  6. Select Close.

In Exchange Management PowerShell

To delete a privileged access policy, run the following command in Exchange Online PowerShell:

Remove-ElevatedAccessApprovalPolicy -Identity <identity GUID of the policy you want to delete>

Disable privileged access in Office 365

If needed, you can disable privileged access management for your organization. Disabling privileged access doesn't delete any associated approval policies or approver groups.

In the Microsoft 365 admin center

  1. Sign in to the Microsoft 365 admin center with credentials for an admin account in your organization.

  2. In the Admin Center, go to Settings > Org Settings > Security & Privacy** > Privileged access.

  3. Turn on Require approvals for privileged access.

In Exchange Management PowerShell

To disable privileged access, run the following command in Exchange Online PowerShell:

Disable-ElevatedAccessControl