Azure PIM rollout with best practices

Common Roles and Responsibilities

Azure role	Permissions
Owner	·       Grants full access to manage all resources ·       Assign roles in Azure RBAC
Contributor	·       Grants full access to manage all resources ·       Can't assign roles in Azure RBAC ·       Can't manage assignments in Azure Blueprints or share image galleries
Reader	·       View all resources but does not allow you to make any changes.
Role Based Access Control Administrator	·       Manage user access to Azure resources ·       Assign roles in Azure RBAC ·       Assign themselves or others the Owner role ·       Can't manage access using other ways, such as Azure Policy
User Access Administrator	·       Manage user access to Azure resources ·       Assign roles in Azure RBAC ·       Assign themselves or others the Owner role

Azure built-in roles - Azure RBAC | Microsoft Learn

To create a subscription or billing profile, you need to have either the Account Admin or Enterprise Admin role. These roles are assigned directly and are not managed through PIM. Users with these roles are responsible for creating subscriptions and managing billing profiles. IAM Emergency access account will be added to Enterprise administrator role to as a recovery account. In situations where old employee is left and new employees need access; these emergency accounts could be used for recovery. 

below diagram shows how we can grant Access using PIM.

As indicated above, the basic method for managing permissions is to create and manage them using a Security group.

Propose a plan to manage the management root. This permission applies to all subscriptions and resource groups. According to Microsoft best practices, the number of management root owners should not exceed three.

Management Group permission management 

This method ensures that only the IAM team can grant access to resources. If a task requires the Owner role for the Cloud team, they can obtain it through an approval workflow.

Tips:

• After the Enterprise admin creates a subscription, the user will automatically become the owner. Once the task is assigned to the IAM team, they should remove the previously added owner, as access will be properly inherited from the management group.
• Alerts should be set up to notify multiple teams to ensure complete visibility on role enablement. We can also assign the SOC team to monitor these alerts.
• Regarding the owner approval workflow, we can assign additional approvals if we need to accommodate multiple time zones and availability.
• Even if you are listed on the approval list, you cannot approve your own request; it must be approved by someone else. Both the requester and the approver are required to add a justification as well.