In Preview: Privileged Access Management for Office 365

Privileged Access Management (PAM) for O365 is a way to restrict access to Office 365 administrative functions by requiring a separate person such as a manager (or someone designated the approver role) to grant access to administrative functions.

PAM is currently a PowerShell-only feature (no graphical user interface… yet) and is limited to Exchange Online at this time. Other workloads such as SharePoint Online are planned in the future. Therefore, it is more or less a proof of concept at this time, because PowerShell is not a skill that most entry-level helpdesk have acquired.

It’s a step in the right direction for sure, as it provides more fine-grained access management than Azure Privileged Identity Management (AzPIM), which gives access to an entire role for a period of time.

Where PAM differs, is that it grants access to perform certain commands only, rather than opening up the entire privileged role to someone.

It’s a nice compliment to AzPIM, but to avoid confusion I feel this should really be part of AzPIM as opposed to a separate O365 E5 feature. Microsoft should be cautious to avoid the appearance of having EMS E5 products compete against O365 E5 products. Case in point, it’s challenging for customers to understand the difference between O365 E5 Cloud App Security versus EMS E5 Cloud App Security. The same product is sold with different feature sets, but why add this confusion? In my opinion, all security elements should be bundled in EMS, and make O365 a pure productivity package. 

The other challenge with O365 PAM, and Azure PIM, is that they do not integrate with the on-premises Windows Server 2016 PAM. So effectively, a customer would have to implement three separate solutions that don’t integrate with each other. This may be a product of Agile software development than anything else. If Microsoft is consistent with what they have done with other products, we should expect to see “Microsoft PAM” which will integrate or replace all three O365 PAM, Azure PIM, and Windows PAM. At that point it will be able to compete strongly against Lieberman (now Bomgar) and/or CyberArk.

Try Office 365 PAM out here: https://docs.microsoft.com/en-us/Office365/Enterprise/privileged-access-management-in-office-365