As announced at the Ignite 2018 conference, a new access management capability is now available to Office 365.

This new feature, called Privileged Access Management (PAM), will help you granting on a ‘just in time’ basis high level privileges to Office 365 services. PAM is currently limited to Exchange Online scope.

To set it up, you will need to use a security group for the PAM access (if you are using Azure AD Connect I would recommend to use an on-premises security group)

Once done, you need to go to your Office 365 administration portal to reach out the Settings\Security & privacy section to enable PAM by reaching the Privileged Access section

imageimage

When enabling PAM, you will choose the default approver group (it will be possible to target another group when creating a policy) using the drop down list showing all mail enabled groups

imageimageimage

Once enabled you will get a link to manage access policies “Manage access policies and requests

image

From there you can create new policy and/or new access request

image

To create policy, click on the Configure Policies button on top right, then click on Add policy

image

Define the condition(s) to fire the PAM; the scope for PAM is currently limited to Exchange Online

image

After creating the policy is created it may not display immediately in the policies list; don’t worry, unless you had an error message, the policy has been created – you just need to refresh the list

Once a policy is created you can not change anything expect the Approval type

image

Once you have at least one policy in place, next time an administrator needs to perform the defined task a notification will be sent for approval (if manual approval has been set)

image

You can also create a new request directly by using the New Request button

You need to have a policy in place for the task/role being requested otherwise you will get an error message “<request type> Policy does not exist”

imageimageimage

image