Case study - Implement privileged access management

  • 8 minutes

The Contoso Corporation, a global manufacturing company, is implementing Privileged Access Management (PAM) in Microsoft Purview to enhance security and reduce risks tied to standing administrative access. Administrators managing Exchange configurations will now request temporary elevated permissions for specific tasks, ensuring permissions are approved, time-bound, and auditable.

Scenario

A Contoso IT administrator needs to perform a New Move Request in Exchange Online to migrate a user's mailbox. Since this is a sensitive task, the administrator must request access, and the Privileged Access Approvers group reviews and approves the request before the administrator can proceed.

This case study walks through the steps Contoso took to configure PAM and approve an access request:

  1. Creating an approvers group
  2. Enabling privileged access
  3. Creating an access policy
  4. Submitting and approving access requests

Step 1: Create an approvers group

Contoso identified a group of senior administrators to serve as approvers for privileged tasks like the migrating a user's mailbox.

Steps to create an approvers group

  1. Sign in to the Microsoft 365 Admin Center with appropriate administrator permissions.

  2. Navigate to Teams & groups > Active teams & groups.

  3. Select Security groups > Add a mail-enabled security group.

  4. On the Set up the basics page, enter the following details:

    • Name: Provide a descriptive name for the group.
    • Description: Add a brief description of the group's purpose.

  5. On the Assign owners page, assign an owner for the group.

  6. On the Add members page, add individuals who act as approvers.

  7. On the Edit settings page, configure the group email address.

  8. Select Create group. Wait a few minutes for the group to be fully configured.

    Screenshot showing the finish screen for creating a mail-enabled security group.

At this stage, the Privileged Access Approvers group is ready to review and approve privileged access requests.

Step 2: Enable privileged access management

To enforce approvals for sensitive tasks, Contoso enables PAM in the Microsoft 365 Admin Center.

Steps to enable PAM

  1. In the Microsoft 365 Admin Center, navigate to Settings > Org settings > Security & privacy > Privileged access.

  2. Select the checkbox for Allow privileged access requests and choose a default approval group.

  3. Assign the newly created approvers group as the default approval group.

    Screenshot showing adding a mail-enabled security group in privileged access management.

  4. Select Save to apply the settings.

Privileged tasks now require approval before they can be executed.

Step 3: Create an access policy

The IT team configures an access policy to manage privileged tasks, specifically for the New Move Request in Exchange.

Steps to create a privileged access policy

  1. In the Microsoft 365 Admin Center, go to Settings > Org settings > Security & privacy > Privileged access.

  2. Select Create policies and manage requests, then select Manage policies.

    Screenshot showing where to manage privileged access management policies.

  3. Select Add policy.

  4. Configure the policy details:

    • Policy type: Task
    • Policy scope: Exchange
    • Policy name: New Move Request
    • Approval type: Manual
    • Approvers: Contoso selects the newly created Privileged Access Approvers group.

  5. Select Create to finalize the policy.

    Screenshot showing adding a privileged access policy.

This policy ensures that any admin performing a New Move Request must first receive approval from the Privileged Access Approvers group.

Step 4: Submit and approve requests

An IT administrator submits a request for elevated access to migrate a user's mailbox. A member of the Privileged Access Approvers group reviews and approves the request.

Submitting a request

The administrator signs in to the Microsoft 365 Admin Center.

  1. Navigate to Settings > Org settings > Security & privacy > Privileged access.

  2. Select Create policies and manage requests, then select Access requests > Request access.

  3. Fill out the form:

    • Type: Task
    • Scope: Exchange
    • Access to: New Move Request
    • Duration: 2 hours
    • Reason: Needing access to move an Exchange mailbox.

  4. Select Create to request access.

    Screenshot showing submitting a privileged access request.

Approving a request

  1. A member of the Privileged Access Approvers group receives an email notification about the new access request.

    Screenshot showing an email request for privileged access.

  2. Select Create policies and manage requests, then select Access requests > Request access to view access requests.

  3. After reviewing the request details, the approver selects Approve.

    Screenshot showing a privileged access request in the Microsoft 365 admin portal.

The administrator can now perform the approved task for the duration specified in the request.

By implementing PAM, Contoso ensures that elevated tasks, like the New Move Request, are tightly controlled. This process adds accountability, minimizes security risks, and ensures permissions are temporary, scoped, and approved.