In an ideal world, your organisations Ninja technicians would only have access to the NinjaOne console only when necessary. You don’t really still want them having access to the console once they have finished work for the day.
You can use Microsoft Entra ID Privileged Identity Management (PIM) to have technicians access automatically removed at the end of a set time period, and this post will show you how.
Prerequisites
This post assumes that the following prerequisites are in place:
You have set up SAML SSO with Entra ID (Instructions can be found on the Dojo)
You have created a technician in Ninja that has the same email as the account that will be used to sign in using Entra with PIM (Instructions can be found on the Dojo)
You organisation has Microsoft Entra ID P2 license for every user that will be using PIM.
Lets get started
Firstly you’re going to want to open the Entra Admin Centre and navigate to the groups blade.
Create a new security group. For the purpose of this article, we’re going to be using assigned group membership.
Don’t add in any members at this point, instead expand activity in the left hand menu, and open the Privileged Identity Management blade.
You’ll be met with the dialogue and button to “Enable PIM for this Group”. Go ahead and click the button.
Once PIM is enabled, you’ll be able to assign members to the group.
If you’re using a group that was created before you started on this article, or if you added members in the previous step, they will be in the Active assignments tab.
We’re looking to add an Eligible user assignment, so click on “Add assignment”
Unless you need to add a group owner, you should be selecting the member role, and then clicking on add member to choose your users. Once you’ve done this you can click next.
You should note that by default, you are not able to make a user permanently eligible, and this needs to be changed in the groups settings if you feel this is necessary. I will be covering aspects that can be changed in settings in a later post on authentication types. Set up your assignment times and click on assign.
You’ll now need go over to the Enterprise Applications blade and find the NinjaOne app you set up when you configured SAML SSO.
In the NinjaOne app, navigate to the user and groups tab, then click on add user/group.
From here we can add our NinjaOne group and then click on select. We’re now ready to test your configuration out!
The user experience
So what does this look like when the user tries to log on?
Lets see what happens when a user tries to log on without activating their role first…
When the user types their email in to the NinjaOne portal, the login box will change to say sign in with Azure AD. Once they click Sign in, they will be met with the familiar Microsoft login choice box (or just a straight up login box)
Once they’ve gone through the login process, without the PIM role activated, they will be met with an error like this one, advising them that they can’t log on because they don’t have permissions yet!
The user will then need to head over to the PIM activation portal. They can navigate to the groups blade, where they will see their role group waiting to be activated.
When the user clicks on activate, they will be given a dialogue box where they can select a time frame slider and a box asking them to provide a justification (which is recorded for auditing) for activating the role. More settings are available, but this will be covered in a later post.
Once the user has provided their justification and clicked activate, they’ll need to wait a few seconds for the role to activate, at which point the screen will refresh. They can head back over to NinjaOne and log in again (or refresh the page) and they’ll be logged in to the portal.
I hope you find this guide useful. Please leave a comment below if you’ve anything to add.
