Create an access overview of Azure resource and Azure AD roles in PIM - Microsoft Entra (2023)

The need for employees to access privileged Azure resources and Azure AD roles changes over time. To reduce the risk associated with stale role assignments, you should regularly audit access. You can use Azure Active Directory (Azure AD) Privileged Identity Management (PIM) to create access assessments for privileged access to Azure resources and Azure AD roles. You can also configure recurring access assessments that are performed automatically. This article describes how to create one or more access ratings.

Prerequisites

Use of this feature requires Azure AD Premium P2 licenses. To find the right license for your requirements, seeCompare the general Azure AD features available. For more information about PIM licenses, seeLicense requirements for using Privileged Identity Management.

To create access ratings for Azure resources, you must map toOwneror theUser access managerrole for Azure resources. To create access ratings for Azure AD roles, you must be assigned toGlobal Administratoror thePrivileged Administratorrole.

Access Reviews forService Managersrequires an Entra Workload Identities Premium plan in addition to the Azure AD Premium P2 license.

• Workload IDs Premium licensing: You can view and acquire licenses atIdentities blade workloadin the Azure portal.

Create access reviews

1. Register atAzure portalas a user assigned to one of the prerequisite roles.

2. ChooseIdentity governance.

3. ForAzure AD roles, selectAzure AD rolesunderPrivileged Identity Management. ForAzure resources, selectAzure resourcesunderPrivileged Identity Management.

4. ForAzure AD roles, selectAzure AD rolesdown againThey manage. ForAzure resources, select the subscription you want to manage.

5. Under Manage, selectAccess to reviewsand then selectYoungto create a new access review.

   

   (Video) How to conduct an Azure AD Access Review

6. Name the access review. Optionally, give the review a description. The name and description are displayed to reviewers.

   

7. Set it upStart date. By default, access control is performed once, starting at the same time it is created and ending in one month. You can change the start and end dates to start access control in the future and last as many days as you like.

   See Also

   Plan and address principal user name changes in Azure Active Directory - Microsoft EntraIdentity Synchronization and Dual Feature Resilience - Microsoft Entra

   

8. To make the access control repeatable, change itFrequencysetting fromOncetoWeekly,Monthly,Quarterly,Annually, theBiannual. use itDurationslider or text box to set how many days each review in the recurring series will be open for reviewer input. For example, the maximum duration you can set for a monthly review is 27 days, to avoid overlapping reviews.

9. use itEndsetting to specify how to terminate the repeating access control sequence. The series can end in three ways: it runs continuously to start reviews indefinitely, until a certain date, or after a set number of shows have been completed. You or another admin who can manage reviews can stop the series after creation by changing the dateSettings, to expire on that date.

10. In theUser scopesection, select the scope of the assessment. ForAzure AD roles, the first range option is Users and Groups. Direct user assignment andgroups with the ability to assign roleswill be included in this selection. ForAzure resource roles, the first field will be Users. Groups assigned to Azure resource roles are expanded to show transient user assignments in the review with this option. You can also chooseService Managersto control machine accounts with direct access to either the Azure resource or Azure AD role.

    

11. Alternatively, you can create access reviews for inactive users only (preview). In theRange of userssection, here it isInactive users only (tenant level).totrue. If toggle is set totrue, the scope of the review will only focus on inactive users. Then specifyInactive dayswith number of inactive days up to 730 days (two years). Users who are inactive for the specified number of days will be the only users in the audit.

12. UnderMembership Check, select the privileged Azure resource or Azure AD roles to check.

    Note

    Selecting more than one role will create multiple access ratings. For example, selecting five roles will create five separate access ratings.

    (Video) Microsoft Entra Deep Dive: Azure Active Directory - Roles & Admins

    

13. Inassignment type, scope the revision based on how the master was assigned to the role. Chooseonly eligible jobsto check the appropriate tasks (regardless of activation status when the assessment was created) oronly active tasksto check active tasks. Chooseall active and eligible tasksto check all jobs regardless of type.

    

14. In theReviewerssection, select one or more people to check all users. Or you can choose to ask members to control their own access.

    

    • Selected users- Use this option to designate a specific user to complete the assessment. This option is available regardless of the scope of the review, and selected reviewers can review users, groups, and service principals.
    • Members (this)- Use this option for users to revise their own role assignments. This option is only available if the control is intendedUsers and GroupstheUsers. ForAzure AD roles, role assignable groups will not participate in auditing when this option is selected.
    • Director– Use this option to ask the user's administrator to review the role assignment. This option is only available if the control is intendedUsers and GroupstheUsers. By selecting Manager, you will also have the option to specify an alternate reviewer. Alternate reviewers are asked to review a user when the user does not have an administrator defined in the directory. ForAzure AD roles, role assignable groups will be reviewed by the backup reviewer if one is selected.

Upon completion of the settings

1. To determine what happens after an assessment is complete, deploy itUpon completion of the settingsUnity.

   

2. If you want to automatically remove access for rejected users, here you goAutomatically apply results to the resourcetoallow. If you want to manually apply the results when the review is complete, set the setting toIndispose.

3. use itIf the reviewer does not respondlist to specify what happens to users who are not reviewed by the reviewer within the review period. This setting does not affect users rated by reviewers.

   • No change- Leave user access unchanged
   • Remove access- Remove user access
   • Grant access- Approve user access
   • Get recommendations- Get the system's recommendation to deny or approve the user's continued access

4. use itAction to apply to rejected visitorslist to specify what happens to rejected visitors. This setting is not editable for Azure AD and Azure resource role reviews at this time. Guest users, like all users, will always lose access to the resource if denied.

   

5. You can send notifications to additional users or groups to receive review completion updates. This feature allows stakeholders other than the reviewer to be informed of the review's progress. To use this feature, selectSelect Users or Group(s)and add an additional user or group when you want to get the completion status.

   

   (Video) Azure - How to setup Azure AD Privileged Identity Management (PIM)

Advanced settings

1. To specify additional settings, expand itAdvanced settingsUnity.

   

2. SeriesShow suggestionstoallowto show reviewers system recommendations based on user access information. Recommendations are based on a 30-day period where users who have logged in in the last 30 days are recommended access, while users who have not logged in are recommended to be denied access. These links are regardless of whether they were interactive. Along with the recommendation, the user's last login is also displayed.

3. SeriesA reason is required for approvaltoallowrequire the reviewer to provide a reason for approval.

4. SeriesMail notificationstoallowfor Azure AD to send email notifications to reviewers when access control starts and to administrators when a review is complete.

5. SeriesReminderstoallowAzure AD to send reminders about access reviews in progress to reviewers who have not completed their review.

6. The content of the email sent to reviewers is automatically generated based on the review details, such as review name, resource name, due date, etc. If you need a way to communicate additional information, such as additional instructions or contact information, you can specify those details atAdditional content for review emailswhich will be included in the invitation and reminder emails sent to assigned reviewers. The section highlighted below is where this information will appear.

   

Manage access control

You can track progress as reviewers complete their reviews atoverviewaccess control page. No directory access rights are changed until the check is complete. Below is a screenshot showing the overview page forAzure resourcesandAzure AD rolesaccess to reviews.

If this is a one-time review, then after the access control period expires or the administrator stops access control, follow the steps inComplete an Azure resource access overview and Azure AD rolesto see and apply the results.

To manage a series of access reviews, go to access control and you'll find upcoming appearances under Scheduled reviews and edit the due date or add/remove reviewers accordingly.

Based on your choices inUpon completion of the settings, the automatic application will run after the check end date or when you manually stop the check. The rating status will change fromCompletedthrough intermediate states such asApplicationand finally to declareApplied. You should expect to see non-rejected users, if any, being removed from roles in a few minutes.

The impact of groups assigned to Azure AD roles and Azure resource roles on access ratings

•ΓιαAzure AD roles, role assignable groups can be assigned to the role usinggroups with the ability to assign roles. When a review is created on an Azure AD role with role-assignable groups assigned, the group name appears in the review without extending the group membership. The reviewer can approve or deny the entire team's access to the role. Rejected groups will lose their role assignment when the audit results are applied.

•ΓιαAzure resource roles, any security group can be assigned to the role. When a review is created on an Azure resource role with an assigned security group, the users assigned to that security group will be fully expanded and displayed in the role reviewer. When a reviewer denies a user who has been assigned the role through the security group, the user will not be removed from the group, and therefore the denial effect will fail.

Update access control

After starting one or more access controls, you may want to modify or update the settings of existing access controls. Here are some common scenarios you might want to consider:

• Add and remove reviews- When updating access reviews, you can choose to add an alternate reviewer in addition to the primary reviewer. Primary reviewers may be removed when updating an access review. However, alternate reviewers cannot be removed from the design.

  Note

  Alternate reviewers can only be added when the reviewer type is admin. Primary reviewers can be added when the reviewer type is user selected.

• Reminding the critics- When updating access reviews, you can choose to enable the reminder option in Advanced Settings. Once enabled, users will receive an email notification midway through the review period, regardless of whether they have completed the review or not.

  

• Update settings- If an access control is repeated, there are separate settings in the Current section versus the Sequence section. Updating the settings in the Current section will only apply changes to the current access revision, while updating the settings in the Series section will update the setting for all future iterations.

  (Video) How do you implement Azure PIM? Privileged Identity Management | AzureAD

Next steps

• Perform access control of Azure resource and Azure AD roles in PIM
• Complete an overview of Azure resource access and Azure AD roles in PIM