Select mail-enabled security group and then complete the Name, Group email address, and Description fields for the new group. In the admin center, go to Groups > Add a group. Sign into the Microsoft 365 admin center using credentials for an admin account in your organization. Connecting with multi-factor authentication creates an Auth Token that is used by privileged access for signing your requests. You do not need to enable multi-factor authentication for your organization to use the steps to enable privileged access while connecting to Exchange Online PowerShell. If you want to use Exchange Management PowerShell to enable and configure privileged access, follow the steps in Connect to Exchange Online PowerShell using Multi-Factor authentication to connect to Exchange Online PowerShell with your Office 365 credentials. All such executions are logged and made available for security and compliance auditing. The approval remains valid for the requested duration (default duration is 4 hours), during which the requester can execute the intended task multiple times. For tasks included in an approval policy, users must request and be granted access approval to have permissions necessary to execute the task.Īfter approval is granted, the requesting user can execute the intended task and privileged access will authorize and execute the task on behalf of the user. Once enabled, privileged access requires approvals for any task that has an associated approval policy defined. Step 4: Submit/approve privileged access requests The approval type options are Auto or Manual. Privileged access must be explicitly enabled in Office 365 with the default approver group, including a set of system accounts that you want excluded from the privileged access management access control.Ĭreating an approval policy allows you to define the specific approval requirements scoped at individual tasks. This group is enabled by creating a mail-enabled security group in Office 365. Any user who is part of the Approvers' group is able to approve access requests. Enable and configure privileged access managementįollow these steps to set up and use privileged access in your organization:īefore you start using privilege access, determine who needs approval authority for incoming requests for access to elevated and privileged tasks.
If you don't have an existing Office 365 Enterprise E5 plan and want to try privileged access management, you can add Microsoft 365 to your existing Office 365 subscription or sign up for a trial of Microsoft 365 Enterprise E5. When current subscriptions expire, customers should transition to one of the subscriptions above, which contain the same or additional compliance features. Office 365 Advanced Compliance is no longer sold as a standalone subscription. Users submitting and responding to privileged access management requests must be assigned one of the licenses above.