As announced at the Ignite 2018 conference, a new access management capability is now available to Office 365.
This new feature, called Privileged Access Management (PAM), will help you granting on a ‘just in time’ basis high level privileges to Office 365 services. PAM is currently limited to Exchange Online scope.
To set it up, you will need to use a security group for the PAM access (if you are using Azure AD Connect I would recommend to use an on-premises security group)
Once done, you need to go to your Office 365 administration portal to reach out the Settings\Security & privacy section to enable PAM by reaching the Privileged Access section
When enabling PAM, you will choose the default approver group (it will be possible to target another group when creating a policy) using the drop down list showing all mail enabled groups
Once enabled you will get a link to manage access policies “Manage access policies and requests”
From there you can create new policy and/or new access request
To create policy, click on the Configure Policies button on top right, then click on Add policy
Define the condition(s) to fire the PAM; the scope for PAM is currently limited to Exchange Online
After creating the policy is created it may not display immediately in the policies list; don’t worry, unless you had an error message, the policy has been created – you just need to refresh the list
Once a policy is created you can not change anything expect the Approval type
Once you have at least one policy in place, next time an administrator needs to perform the defined task a notification will be sent for approval (if manual approval has been set)
You can also create a new request directly by using the New Request button
You need to have a policy in place for the task/role being requested otherwise you will get an error message “<request type> Policy does not exist”